[vlc-commits] demux/asf: prevent integer overflow in ASF_NextObject

Filip Roséen git at videolan.org
Mon Jul 18 06:01:56 CEST 2016


vlc/vlc-2.2 | branch: master | Filip Roséen <filip at videolabs.io> | Sat Jul 16 04:55:02 2016 +0200| [d4b507dc490ce2b6f2c211d3cf52d8c95ee036c1] | committer: Jean-Baptiste Kempf

demux/asf: prevent integer overflow in ASF_NextObject

Before returning from ASF_NextObject, the former implementation would
simply calculate "p_obj->common.i_object_pos + p_obj->common.i_object_size",
and pass the result to stream_Seek.

Of course this is rather dangerous given that the value of ".i_object_size"
is populated by simply reading the input stream.

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit bcdc90fadce053ae56a98d09ed93ffc3c25f1c00)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=d4b507dc490ce2b6f2c211d3cf52d8c95ee036c1
---

 modules/demux/asf/libasf.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index 7171549..b6f3e48 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -162,6 +162,9 @@ static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary
     if( p_obj->common.i_object_size <= 0 )
         return VLC_EGENERIC;
 
+    if( ( UINT64_MAX - p_obj->common.i_object_pos ) < p_obj->common.i_object_size )
+        return VLC_EGENERIC;
+
     if( p_obj->common.p_father &&
         p_obj->common.p_father->common.i_object_size != 0 )
     {



More information about the vlc-commits mailing list