[vlc-commits] codec: schroedinger: fix potential buffer overflow.

Fabian Yamaguchi git at videolan.org
Fri Dec 5 23:23:04 CET 2014


vlc | branch: master | Fabian Yamaguchi <fyamagu at gwdg.de> | Fri Dec  5 15:18:22 2014 +0100| [191d6144349b7e9b8cdc52cb8c6890c82832d828] | committer: Jean-Baptiste Kempf

codec: schroedinger: fix potential buffer overflow.

The variable len is a raw 32 bit value read using GetDWBE. If this
value is larger than UINT32_MAX - sizeof(eos), this will cause an
integer overflow in the subsequent call to malloc, and finally a
buffer overflow when calling memcpy. We fix this by checking len
accordingly.

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=191d6144349b7e9b8cdc52cb8c6890c82832d828
---

 modules/codec/schroedinger.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
index f48aa2b..977afca 100644
--- a/modules/codec/schroedinger.c
+++ b/modules/codec/schroedinger.c
@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
                      * is appended to the sequence header to allow guard
                      * against poor streaming servers */
                     /* XXX, should this be done using the packetizer ? */
+
+                    if( len > UINT32_MAX - sizeof( eos ) )
+                        return NULL;
+
                     p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
                     if( !p_enc->fmt_out.p_extra )
                         return NULL;



More information about the vlc-commits mailing list