[vlc-commits] avformat: fix heap read overflow and invalid cast

Rémi Denis-Courmont git at videolan.org
Wed Oct 21 18:56:59 CEST 2015 

vlc/vlc-2.2 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Aug 28 21:37:17 2015 +0300| [41503d6994ae0cd27a7564ba66e76a5d90adf332] | committer: Jean-Baptiste Kempf

avformat: fix heap read overflow and invalid cast

avformat needs nul padding after the probe data.

(cherry picked from commit 48a017006cc038c9783bccfc1d56f9ec2070fa54)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=41503d6994ae0cd27a7564ba66e76a5d90adf332
---

 modules/demux/avformat/demux.c |   33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c
index df92ea8..2b33de7 100644
--- a/modules/demux/avformat/demux.c
+++ b/modules/demux/avformat/demux.c
@@ -163,8 +163,24 @@ int OpenDemux( vlc_object_t *p_this )
     int64_t       i_start_time = -1;
     bool          b_can_seek;
     char         *psz_url;
+    const uint8_t *peek;
     int           error;
 
+    /* Init Probe data */
+    pd.buf_size = stream_Peek( p_demux->s, &peek, 2048 + 213 );
+    if( pd.buf_size <= 0 )
+    {
+        msg_Warn( p_demux, "cannot peek" );
+        return VLC_EGENERIC;
+    }
+
+    pd.buf = malloc( pd.buf_size + AVPROBE_PADDING_SIZE );
+    if( unlikely(pd.buf == NULL) )
+        return VLC_ENOMEM;
+
+    memcpy( pd.buf, peek, pd.buf_size );
+    memset( pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE );
+
     if( p_demux->psz_file )
         psz_url = strdup( p_demux->psz_file );
     else
@@ -177,18 +193,13 @@ int OpenDemux( vlc_object_t *p_this )
     if( psz_url != NULL )
         msg_Dbg( p_demux, "trying url: %s", psz_url );
 
-    /* Init Probe data */
     pd.filename = psz_url;
-    if( ( pd.buf_size = stream_Peek( p_demux->s, (const uint8_t**)&pd.buf, 2048 + 213 ) ) <= 0 )
-    {
-        free( psz_url );
-        msg_Warn( p_demux, "cannot peek" );
-        return VLC_EGENERIC;
-    }
+
     stream_Control( p_demux->s, STREAM_CAN_SEEK, &b_can_seek );
 
     vlc_init_avformat(p_this);
 
+    /* Guess format */
     char *psz_format = var_InheritString( p_this, "avformat-format" );
     if( psz_format )
     {
@@ -197,8 +208,12 @@ int OpenDemux( vlc_object_t *p_this )
         free( psz_format );
     }
 
-    /* Guess format */
-    if( !fmt && !( fmt = av_probe_input_format( &pd, 1 ) ) )
+    if( fmt == NULL )
+        fmt = av_probe_input_format( &pd, 1 );
+
+    free( pd.buf );
+
+    if( fmt == NULL )
     {
         msg_Dbg( p_demux, "couldn't guess format" );
         free( psz_url );

More information about the vlc-commits mailing list