[vlc-commits] misc: update: fix buffer overflow in updater

[Fabian Yamaguchi]

vlc/vlc-2.1 | branch: master | Fabian Yamaguchi <fyamagu at gwdg.de> | Sat Dec  6 13:12:38 2014 +0100| [9ddfcbb6e5222871de9b2047c939cf1da1fdbe7b] | committer: Jean-Baptiste Kempf

misc: update: fix buffer overflow in updater

On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit fbe2837bc80f155c001781041a54c58b5524fc14)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.1.git/?a=commit;h=9ddfcbb6e5222871de9b2047c939cf1da1fdbe7b
---

 src/misc/update.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/misc/update.c b/src/misc/update.c
index 600e900..32e8701 100644
--- a/src/misc/update.c
+++ b/src/misc/update.c
@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
     }
 
     const int64_t i_read = stream_Size( p_stream );
+
+    if( i_read < 0 || i_read >= UINT16_MAX)
+    {
+        msg_Err(p_update->p_libvlc, "Status file too large");
+        goto error;
+    }
+
     psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
     if( !psz_update_data )
         goto error;