[vlc-commits] lpcm: validate block_nb_frames in DVD/LPCM cases
Filip Roséen
git at videolan.org
Wed Dec 7 15:22:58 CET 2016
vlc/vlc-2.2 | branch: master | Filip Roséen <filip at atch.se> | Wed Dec 7 15:19:09 2016 +0100| [d75cb6ebc89f89f91ee940c55fc8345aa1f7a35d] | committer: Jean-Baptiste Kempf
lpcm: validate block_nb_frames in DVD/LPCM cases
Fix heap overflow due to invalid header data
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit 8447e3d87b65c36d57a2c55d4afb717bb1945321)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=d75cb6ebc89f89f91ee940c55fc8345aa1f7a35d
---
modules/codec/lpcm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/modules/codec/lpcm.c b/modules/codec/lpcm.c
index e040133..d158ad3 100644
--- a/modules/codec/lpcm.c
+++ b/modules/codec/lpcm.c
@@ -434,6 +434,20 @@ static block_t *DecodeFrame( decoder_t *p_dec, block_t **pp_block )
p_block->p_buffer += p_sys->i_header_size + i_padding;
p_block->i_buffer -= p_sys->i_header_size + i_padding;
+ const unsigned block_nb_frames = p_block->i_buffer / ( i_bits * 4 / 8 );
+ const unsigned aout_nb_frames = p_aout_buffer->i_nb_samples
+ / ( p_dec->fmt_out.audio.i_bitspersample / 8 );
+
+ if( block_nb_frames > aout_nb_frames )
+ {
+ msg_Warn( p_dec, "invalid block size" );
+
+ block_Release( p_block );
+ block_Release( p_aout_buffer );
+
+ return NULL;
+ }
+
switch( p_sys->i_type )
{
case LPCM_WIDI:
More information about the vlc-commits
mailing list