[vlc-commits] demux/nsv: invalid NSVf header size leads to infinite loop (fixes #17563)
Filip Roséen
git at videolan.org
Tue Nov 1 22:24:11 CET 2016
vlc | branch: master | Filip Roséen <filip at atch.se> | Sun Oct 30 23:27:36 2016 +0100| [87cf24c252569d13335cee006ae59c1fe0718705] | committer: Rémi Denis-Courmont
demux/nsv: invalid NSVf header size leads to infinite loop (fixes #17563)
According to the specification of nsv, a file header size of 0 (and
0xFFFFFFFF) is invalid; these changes prevents an infinite loop if the
size is specified as the former, while also making sure that we do not
try to parse files containing the latter.
- http://multimedia.cx/nsv-format.txt
Signed-off-by: Rémi Denis-Courmont <remi at remlab.net>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=87cf24c252569d13335cee006ae59c1fe0718705
---
modules/demux/nsv.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/modules/demux/nsv.c b/modules/demux/nsv.c
index cfe9a2d..fc260f9 100644
--- a/modules/demux/nsv.c
+++ b/modules/demux/nsv.c
@@ -446,7 +446,6 @@ static int ReadNSVf( demux_t *p_demux )
{
/* demux_sys_t *p_sys = p_demux->p_sys; */
const uint8_t *p;
- int i_size;
msg_Dbg( p_demux, "new NSVf chunk" );
if( vlc_stream_Peek( p_demux->s, &p, 8 ) < 8 )
@@ -454,10 +453,15 @@ static int ReadNSVf( demux_t *p_demux )
return VLC_EGENERIC;
}
- i_size = GetDWLE( &p[4] );
- msg_Dbg( p_demux, " - size=%d", i_size );
+ uint32_t i_header_size = GetDWLE( &p[4] );
+ msg_Dbg( p_demux, " - size=%" PRIu32, i_header_size );
+
+ if( i_header_size == 0 || i_header_size == UINT32_MAX )
+ return VLC_EGENERIC;
+
- return vlc_stream_Read( p_demux->s, NULL, i_size ) == i_size ? VLC_SUCCESS : VLC_EGENERIC;
+ return vlc_stream_Read( p_demux->s, NULL, i_header_size ) == i_header_size
+ ? VLC_SUCCESS : VLC_EGENERIC;
}
/*****************************************************************************
* ReadNSVs:
More information about the vlc-commits
mailing list