[vlc-commits] modules/services_discovery/sap.c: avoid out-of-bounds write

Nickolai Zeldovich git at videolan.org
Thu Jan 17 17:54:57 CET 2013


vlc/vlc-2.0 | branch: master | Nickolai Zeldovich <nickolai at csail.mit.edu> | Wed Jan 16 20:03:20 2013 -0500| [a520ae9e14137879ea9de7bcd38013eb63ce7b01] | committer: Rémi Denis-Courmont

modules/services_discovery/sap.c: avoid out-of-bounds write

After OpenDemux reads data using stream_Read(), it writes a '\0' to
the buffer after the newly-read data, but if the stream returned exactly
i_read_max bytes, this '\0' will end up just past the end of the allocated
psz_sdp array (see the call to realloc at the beginning of the loop).
Adjust the realloc call to allocate this one extra byte.

Signed-off-by: Rémi Denis-Courmont <remi at remlab.net>
(cherry picked from commit dee928705dd32839317dca0e77089b02dd720763)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=a520ae9e14137879ea9de7bcd38013eb63ce7b01
---

 modules/services_discovery/sap.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/services_discovery/sap.c b/modules/services_discovery/sap.c
index 38775e0..5bfacbe 100644
--- a/modules/services_discovery/sap.c
+++ b/modules/services_discovery/sap.c
@@ -348,7 +348,7 @@ static int OpenDemux( vlc_object_t *p_this )
     for( i_len = 0, psz_sdp = NULL; i_len < 65536; )
     {
         const int i_read_max = 1024;
-        char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max );
+        char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max + 1 );
         size_t i_read;
         if( psz_sdp_new == NULL )
         {



More information about the vlc-commits mailing list