[vlc-commits] demux: fix integer overflows in APE tag skipping

Rémi Denis-Courmont git at videolan.org
Tue Feb 7 21:00:23 CET 2017 

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Tue Feb  7 21:56:30 2017 +0200| [4423fed572febf03aeee8152071dc4af8e530174] | committer: Rémi Denis-Courmont

demux: fix integer overflows in APE tag skipping

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=4423fed572febf03aeee8152071dc4af8e530174
---

 src/input/demux.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/input/demux.c b/src/input/demux.c
index 392a3f8..f3b0495 100644
--- a/src/input/demux.c
+++ b/src/input/demux.c
@@ -26,6 +26,7 @@
 #endif
 
 #include <assert.h>
+#include <limits.h>
 
 #include "demux.h"
 #include <libvlc.h>
@@ -570,9 +571,6 @@ static bool SkipID3Tag( demux_t *p_demux )
 static bool SkipAPETag( demux_t *p_demux )
 {
     const uint8_t *p_peek;
-    int i_version;
-    int i_size;
-    uint32_t flags;
 
     if( !p_demux->s )
         return false;
@@ -584,19 +582,23 @@ static bool SkipAPETag( demux_t *p_demux )
     if( memcmp( p_peek, "APETAGEX", 8 ) )
         return false;
 
-    i_version = GetDWLE( &p_peek[8] );
-    flags = GetDWLE( &p_peek[8+4+4] );
-    if( ( i_version != 1000 && i_version != 2000 ) || !( flags & (1<<29) ) )
+    uint_fast32_t version = GetDWLE( &p_peek[8] );
+    uint_fast32_t size = GetDWLE( &p_peek[8+4] );
+    uint_fast32_t flags = GetDWLE( &p_peek[8+4+4] );
+
+    if( (version != 1000 && version != 2000) || !(flags & (1u << 29))
+     || (size > SSIZE_MAX - 32u) )
         return false;
 
-    i_size = GetDWLE( &p_peek[8+4] ) + ( (flags&(1<<30)) ? 32 : 0 );
+    if( flags & (1u << 30) )
+        size += 32;
 
     /* Skip the entire tag */
-    if( vlc_stream_Read( p_demux->s, NULL, i_size ) < i_size )
+    if( vlc_stream_Read( p_demux->s, NULL, size ) < (ssize_t)size )
         return false;
 
-    msg_Dbg( p_demux, "AP2 v%d tag found, skipping %d bytes",
-             i_version/1000, i_size );
+    msg_Dbg( p_demux, "AP2 v%"PRIuFAST32" tag found, "
+             "skipping %"PRIuFAST32" bytes", version / 1000, size );
     return true;
 }

More information about the vlc-commits mailing list