[vlc-commits] block: Fix buffer total size in block_Alloc()
Casian Andrei
git at videolan.org
Sat May 5 19:23:05 CEST 2012
vlc | branch: master | Casian Andrei <skeletk13 at gmail.com> | Sat May 5 19:42:54 2012 +0300| [a5ebee89e06ed57ede6cf91641dc7c1d3c638fcb] | committer: Rémi Denis-Courmont
block: Fix buffer total size in block_Alloc()
The total size of the buffer (i_size) was initialized with the whole
allocated size for the block. This fooled block_Realloc() in the case of
resizing to slightly larger, with the extra size in range from
32 to 32 + 80 bytes. block_Realloc() assumed it had enough space left in
the buffer padding to avoid reallocating memory.
Consequently, the block ended up with a i_buffer field with a value
larger than the allocated memory around p_buffer.
In the end, this could cause memory corruptions in all sorts of cases.
In my case, vlc was crashing while encoutering a corrupted mp3 file.
Signed-off-by: Rémi Denis-Courmont <remi at remlab.net>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a5ebee89e06ed57ede6cf91641dc7c1d3c638fcb
---
src/misc/block.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/misc/block.c b/src/misc/block.c
index bed781d..cdd053e 100644
--- a/src/misc/block.c
+++ b/src/misc/block.c
@@ -133,7 +133,7 @@ block_t *block_Alloc (size_t size)
if (unlikely(b == NULL))
return NULL;
- block_Init (b, b + 1, alloc);
+ block_Init (b, b + 1, alloc - sizeof (*b));
static_assert ((BLOCK_PADDING % BLOCK_ALIGN) == 0,
"BLOCK_PADDING must be a multiple of BLOCK_ALIGN");
b->p_buffer += BLOCK_PADDING + BLOCK_ALIGN - 1;
More information about the vlc-commits
mailing list