[vlc-commits] access: mmstu: check for overflows (refs #16246)

Francois Cartegnie git at videolan.org
Mon Dec 28 23:35:53 CET 2015 

vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Dec 28 12:57:08 2015 +0100| [ed59e9654eb4762134077f7bae972fc267f2f54f] | committer: Jean-Baptiste Kempf

access: mmstu: check for overflows (refs #16246)

(cherry picked from commit 90ceeec675148623dd214b7f255c7a08baf614b5)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=ed59e9654eb4762134077f7bae972fc267f2f54f
---

 modules/access/mms/mmstu.c |   28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c
index 3d7e96e..4db45ee 100644
--- a/modules/access/mms/mmstu.c
+++ b/modules/access/mms/mmstu.c
@@ -446,11 +446,12 @@ static int MMSOpen( access_t  *p_access, vlc_url_t *p_url, int  i_proto )
 
     var_buffer_t buffer;
     char         *tmp;
-    uint16_t     *p;
-    int          i_server_version;
-    int          i_tool_version;
-    int          i_update_player_url;
-    int          i_encryption_type;
+    const uint16_t *p;
+    const uint8_t  *p_cmdend;
+    uint32_t     i_server_version;
+    uint32_t     i_tool_version;
+    uint32_t     i_update_player_url;
+    uint32_t     i_encryption_type;
     int          i;
     int          i_streams;
     int          i_first;
@@ -553,11 +554,20 @@ static int MMSOpen( access_t  *p_access, vlc_url_t *p_url, int  i_proto )
     i_update_player_url = GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 40 );
     i_encryption_type = GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 44 );
     p = (uint16_t*)( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 48 );
+    p_cmdend = &p_sys->p_cmd[p_sys->i_cmd];
+
 #define GETUTF16( psz, size ) \
-    { \
-        int i; \
-        psz = xmalloc( size + 1); \
-        for( i = 0; i < size; i++ ) \
+    if( (UINT32_MAX == size) || \
+        ((uintptr_t) p / sizeof(uint16_t) < size) || \
+       ((UINTPTR_MAX - (uintptr_t) p_cmdend) / sizeof(uint16_t)) < size )\
+    {\
+        var_buffer_free( &buffer );\
+        MMSClose( p_access );\
+        return VLC_EBADVAR;\
+    }\
+    if( (psz = malloc(size + 1)) )\
+    {\
+        for( size_t i = 0; i < size; i++ ) \
         { \
             psz[i] = p[i]; \
         } \

More information about the vlc-commits mailing list