[vlc-commits] stream_out: rtp: fix invalid memory access (write)

[Fabian Yamaguchi]

vlc | branch: master | Fabian Yamaguchi <fyamagu at gwdg.de> | Fri Dec  5 13:58:24 2014 +0100| [de28a895b22b49e25ad2ae08218812f11e86ab14] | committer: Jean-Baptiste Kempf

stream_out: rtp: fix invalid memory access (write)

When streaming ogg-files via rtp, the ogg-file can trigger an invalid
write access using an overly long 'configuration' string. The original
code attemps to allocate space to hold the string on the stack and
hence, cannot verify if allocation succeeds. Instead, we now allocate
the buffer on the heap and return if allocation fails.

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=de28a895b22b49e25ad2ae08218812f11e86ab14
---

 modules/stream_out/rtpfmt.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
index 8119a36..2f4eb73 100644
--- a/modules/stream_out/rtpfmt.c
+++ b/modules/stream_out/rtpfmt.c
@@ -559,7 +559,14 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
     char *end = strchr(start, ';');
     assert(end != NULL);
     size_t len = end - start;
-    char b64[len + 1];
+
+    if (len == SIZE_MAX)
+        return VLC_EGENERIC;
+
+    char *b64 = malloc(len + 1);
+    if (!b64)
+        return VLC_EGENERIC;
+
     memcpy(b64, start, len);
     b64[len] = '\0';
 
@@ -569,6 +576,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
     int i_data;
 
     i_data = vlc_b64_decode_binary(&p_orig, b64);
+    free(b64);
     if (i_data <= 9)
     {
         free(p_orig);