[vlc-commits] demux: libasf: fix integer overflow
Francois Cartegnie
git at videolan.org
Sun Dec 25 22:48:18 CET 2016
vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Sun Dec 25 22:05:24 2016 +0100| [c395028c8f867797a451152d7ad9fa542b7dc05f] | committer: Francois Cartegnie
demux: libasf: fix integer overflow
and read overflow on usage
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=c395028c8f867797a451152d7ad9fa542b7dc05f
---
modules/demux/asf/libasf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index 02204f0..af057be 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -1340,7 +1340,10 @@ static int ASF_ReadObject_marker(stream_t *s, asf_object_t *p_obj)
p_marker->i_send_time = ASF_READ4();
p_marker->i_flags = ASF_READ4();
p_marker->i_marker_description_length = ASF_READ4();
- p_marker->p_marker_description = ASF_READS( p_marker->i_marker_description_length * 2 );
+ if( p_marker->i_marker_description_length <= (UINT32_MAX / 2) )
+ p_marker->p_marker_description = ASF_READS( p_marker->i_marker_description_length * 2 );
+ else
+ p_marker->i_marker_description_length = 0;
}
}
More information about the vlc-commits
mailing list