[vlc-commits] sdp: fix potential read overflow and get rid of info.i_pos

Rémi Denis-Courmont git at videolan.org
Wed Sep 2 21:54:13 CEST 2015


vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Tue Sep  1 21:44:37 2015 +0300| [111382936de269a7c51a05d9f86b943ecd84210b] | committer: Rémi Denis-Courmont

sdp: fix potential read overflow and get rid of info.i_pos

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=111382936de269a7c51a05d9f86b943ecd84210b
---

 modules/access/sdp.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/modules/access/sdp.c b/modules/access/sdp.c
index 5d9ef7a..0da35ba 100644
--- a/modules/access/sdp.c
+++ b/modules/access/sdp.c
@@ -46,6 +46,7 @@ static int Control (access_t *, int, va_list);
 
 struct access_sys_t
 {
+    size_t offset;
     size_t length;
     char   data[];
 };
@@ -60,6 +61,7 @@ static int Open (vlc_object_t *obj)
         return VLC_ENOMEM;
 
     /* NOTE: This copy is not really needed. Better safe than sorry. */
+    sys->offset = 0;
     sys->length = len;
     memcpy (sys->data, access->psz_location, len);
 
@@ -85,22 +87,26 @@ static ssize_t Read (access_t *access, uint8_t *buf, size_t len)
 {
     access_sys_t *sys = access->p_sys;
 
-    if (access->info.i_pos >= sys->length)
+    if (sys->offset >= sys->length)
     {
         access->info.b_eof = true;
         return 0;
     }
 
-    if (len > sys->length)
-        len = sys->length;
-    memcpy (buf, sys->data + access->info.i_pos, len);
-    access->info.i_pos += len;
+    if (len > sys->length - sys->offset)
+        len = sys->length - sys->offset;
+    memcpy (buf, sys->data + sys->offset, len);
     return len;
 }
 
 static int Seek (access_t *access, uint64_t position)
 {
-    access->info.i_pos = position;
+    access_sys_t *sys = access->p_sys;
+
+    if (position > sys->length)
+        position = sys->length;
+
+    sys->offset = position;
     access->info.b_eof = false;
     return VLC_SUCCESS;
 }
@@ -135,6 +141,5 @@ static int Control (access_t *access, int query, va_list args)
         case ACCESS_SET_PAUSE_STATE:
             return VLC_SUCCESS;
     }
-    (void) access;
     return VLC_EGENERIC;
 }



More information about the vlc-commits mailing list