[vlc-commits] demux: avi: fix undefined read (fix #17635)
Francois Cartegnie
git at videolan.org
Sun Nov 13 21:01:04 CET 2016
vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Sun Nov 13 19:50:18 2016 +0100| [3fe8d04f223bfca704d83914b9c110d85c9a4f86] | committer: Francois Cartegnie
demux: avi: fix undefined read (fix #17635)
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=3fe8d04f223bfca704d83914b9c110d85c9a4f86
---
modules/demux/avi/avi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 1939b28..e45b5de 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -30,6 +30,7 @@
#endif
#include <assert.h>
#include <ctype.h>
+#include <limits.h>
#include <vlc_common.h>
#include <vlc_plugin.h>
@@ -2204,7 +2205,7 @@ static int AVI_PacketGetHeader( demux_t *p_demux, avi_packet_t *p_pk )
static int AVI_PacketNext( demux_t *p_demux )
{
avi_packet_t avi_ck;
- int i_skip = 0;
+ size_t i_skip = 0;
if( AVI_PacketGetHeader( p_demux, &avi_ck ) )
{
@@ -2223,10 +2224,16 @@ static int AVI_PacketNext( demux_t *p_demux )
}
else
{
+ if( avi_ck.i_size > UINT32_MAX - 9 )
+ return VLC_EGENERIC;
i_skip = __EVEN( avi_ck.i_size ) + 8;
}
- if( vlc_stream_Read( p_demux->s, NULL, i_skip ) != i_skip )
+ if( i_skip > SSIZE_MAX )
+ return VLC_EGENERIC;
+
+ ssize_t i_ret = vlc_stream_Read( p_demux->s, NULL, i_skip );
+ if( i_ret < 0 || (size_t) i_ret != i_skip )
{
return VLC_EGENERIC;
}
More information about the vlc-commits
mailing list