[vlc-commits] demux/asf: prevent integer overflow in ASF_NextObject
Filip Roséen
git at videolan.org
Mon Jul 18 06:01:56 CEST 2016
vlc/vlc-2.2 | branch: master | Filip Roséen <filip at videolabs.io> | Sat Jul 16 04:55:02 2016 +0200| [d4b507dc490ce2b6f2c211d3cf52d8c95ee036c1] | committer: Jean-Baptiste Kempf
demux/asf: prevent integer overflow in ASF_NextObject
Before returning from ASF_NextObject, the former implementation would
simply calculate "p_obj->common.i_object_pos + p_obj->common.i_object_size",
and pass the result to stream_Seek.
Of course this is rather dangerous given that the value of ".i_object_size"
is populated by simply reading the input stream.
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit bcdc90fadce053ae56a98d09ed93ffc3c25f1c00)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=d4b507dc490ce2b6f2c211d3cf52d8c95ee036c1
---
modules/demux/asf/libasf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index 7171549..b6f3e48 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -162,6 +162,9 @@ static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary
if( p_obj->common.i_object_size <= 0 )
return VLC_EGENERIC;
+ if( ( UINT64_MAX - p_obj->common.i_object_pos ) < p_obj->common.i_object_size )
+ return VLC_EGENERIC;
+
if( p_obj->common.p_father &&
p_obj->common.p_father->common.i_object_size != 0 )
{
More information about the vlc-commits
mailing list