[vlc-commits] demux/ttml: fix invalid allocation

[Filip Roséen]

vlc | branch: master | Filip Roséen <filip at atch.se> | Mon Sep 19 23:53:40 2016 +0200| [45ea4a7dd571d31743b84836e60c848ecf763170] | committer: Hugo Beauzée-Luyssen

demux/ttml: fix invalid allocation

The previous implementation could potentially pass a negative value to
realloc, causing it to underflow the size_t argument - leading to a
far too big allocation.

These changes circumvents the problem by first checking so that we
have at least N > 0 elements to allocate memory for.

Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=45ea4a7dd571d31743b84836e60c848ecf763170
---

 modules/demux/ttml.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/demux/ttml.c b/modules/demux/ttml.c
index 444d99d..5bbb8e1 100644
--- a/modules/demux/ttml.c
+++ b/modules/demux/ttml.c
@@ -516,11 +516,17 @@ static int ParseTimeOnSpan( demux_sys_t* p_sys, char* psz_text )
 
     qsort( p_times->pp_elems, p_times->i_count, sizeof( mtime_t* ), timeCmp );
 
-    subtitle_t* p_tmp_sub = realloc( p_sys->subtitle, sizeof( *p_sys->subtitle ) * ( p_times->i_count - 1 + p_sys->i_subtitles ) );
-    if( unlikely( p_tmp_sub == NULL ) )
-        goto error;
+    ssize_t total_count = p_times->i_count + p_sys->i_subtitles - 1;
+
+    if( total_count > 0 )
+    {
+        subtitle_t* p_tmp_sub = realloc( p_sys->subtitle, sizeof( *p_sys->subtitle ) * total_count );
 
-    p_sys->subtitle = p_tmp_sub;
+        if( unlikely( p_tmp_sub == NULL ) )
+            goto error;
+
+        p_sys->subtitle = p_tmp_sub;
+    }
     /*
     * For each time space represented by the times inside the p_times array
     * we create a p tag with all the spans inside.