[vlc-commits] demux/xiph_metadata: prevent integer overflow (#17593)
Filip Roséen
git at videolan.org
Tue Dec 6 16:07:07 CET 2016
vlc/vlc-2.2 | branch: master | Filip Roséen <filip at atch.se> | Tue Dec 6 09:02:40 2016 +0100| [fad42291258b6916479a7cb343f5483ea20f236c] | committer: Jean-Baptiste Kempf
demux/xiph_metadata: prevent integer overflow (#17593)
The previous implementation assumed that a 32-bit integer would fit
in an `int`, something which is not guaranteed and might cause an
integer overflow.
These changes changes the declared type of the relevant variables, by
also making a slight amount of clean-up on the affected paths, such
as:
- merging declaration and initialization
- fixing redundant if-conditions
fixes #17593
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit f931a00f6a1ee581fec66c59964bf0e95a4b7411)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=fad42291258b6916479a7cb343f5483ea20f236c
---
modules/demux/xiph_metadata.c | 51 +++++++++++++++++++------------------------
modules/demux/xiph_metadata.h | 2 +-
2 files changed, 23 insertions(+), 30 deletions(-)
diff --git a/modules/demux/xiph_metadata.c b/modules/demux/xiph_metadata.c
index de7f289..0d074f0 100644
--- a/modules/demux/xiph_metadata.c
+++ b/modules/demux/xiph_metadata.c
@@ -190,44 +190,37 @@ static seekpoint_t * getChapterEntry( unsigned int i_index, chapters_array_t *p_
}
void vorbis_ParseComment( es_format_t *p_fmt, vlc_meta_t **pp_meta,
- const uint8_t *p_data, int i_data,
+ const uint8_t *p_data, size_t i_data,
int *i_attachments, input_attachment_t ***attachments,
int *i_cover_score, int *i_cover_idx,
int *i_seekpoint, seekpoint_t ***ppp_seekpoint,
float (* ppf_replay_gain)[AUDIO_REPLAY_GAIN_MAX],
float (* ppf_replay_peak)[AUDIO_REPLAY_GAIN_MAX] )
{
- int n;
- int i_comment;
-
if( i_data < 8 )
return;
- n = GetDWLE(p_data); RM(4);
- if( n < 0 || n > i_data )
- return;
-#if 0
- if( n > 0 )
- {
- /* TODO report vendor string ? */
- char *psz_vendor = psz_vendor = strndup( p_data, n );
- free( psz_vendor );
- }
-#endif
- RM(n);
+ uint32_t vendor_length = GetDWLE(p_data); RM(4);
+
+ if( vendor_length > i_data )
+ return; /* invalid length */
+
+ RM(vendor_length); /* TODO: handle vendor payload */
if( i_data < 4 )
return;
- i_comment = GetDWLE(p_data); RM(4);
- if( i_comment <= 0 )
- return;
+ uint32_t i_comment = GetDWLE(p_data); RM(4);
+
+ if( i_comment > i_data || i_comment == 0 )
+ return; /* invalid length */
/* */
vlc_meta_t *p_meta = *pp_meta;
if( !p_meta )
*pp_meta = p_meta = vlc_meta_New();
- if( !p_meta )
+
+ if( unlikely( !p_meta ) )
return;
/* */
@@ -247,19 +240,19 @@ void vorbis_ParseComment( es_format_t *p_fmt, vlc_meta_t **pp_meta,
chapters_array_t chapters_array = { 0, NULL };
- for( ; i_comment > 0; i_comment-- )
+ for( ; i_comment > 0 && i_data >= 4; i_comment-- )
{
- char *psz_comment;
- if( i_data < 4 )
- break;
- n = GetDWLE(p_data); RM(4);
- if( n > i_data )
+ uint32_t comment_size = GetDWLE(p_data); RM(4);
+
+ if( comment_size > i_data )
break;
- if( n <= 0 )
+
+ if( comment_size == 0 )
continue;
- psz_comment = strndup( (const char*)p_data, n );
- RM(n);
+ char* psz_comment = strndup( (const char*)p_data, comment_size );
+
+ RM(comment_size);
EnsureUTF8( psz_comment );
diff --git a/modules/demux/xiph_metadata.h b/modules/demux/xiph_metadata.h
index dc06760..f465243 100644
--- a/modules/demux/xiph_metadata.h
+++ b/modules/demux/xiph_metadata.h
@@ -33,7 +33,7 @@ input_attachment_t* ParseFlacPicture( const uint8_t *p_data, size_t i_data,
int i_attachments, int *i_cover_score, int *i_cover_idx );
void vorbis_ParseComment( es_format_t *p_fmt, vlc_meta_t **pp_meta,
- const uint8_t *p_data, int i_data,
+ const uint8_t *p_data, size_t i_data,
int *i_attachments, input_attachment_t ***attachments,
int *i_cover_score, int *i_cover_idx,
int *i_seekpoint, seekpoint_t ***ppp_seekpoint,
More information about the vlc-commits
mailing list