[vlc-commits] input/control: INPUT_GET_SEEKPOINTS: prevent out-of-bounds reads
Filip Roséen
git at videolan.org
Mon Mar 6 09:24:37 CET 2017
vlc | branch: master | Filip Roséen <filip at atch.se> | Wed Mar 1 20:11:43 2017 +0100| [8a0272b8ebe3c825b6b53b53afac4c5e51a75995] | committer: Jean-Baptiste Kempf
input/control: INPUT_GET_SEEKPOINTS: prevent out-of-bounds reads
The previous implementation would potentially read the "element" right
after the last one in the subsequently used array (as priv->i_title
denotes the number of titles present).
These changes also include a check to make sure that var_GetInteger(
p_input, "title" ) does not result in a negative value (as such can be
used to read from outside the array, but on the other side).
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8a0272b8ebe3c825b6b53b53afac4c5e51a75995
---
src/input/control.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/input/control.c b/src/input/control.c
index a50e25b..d840cee 100644
--- a/src/input/control.c
+++ b/src/input/control.c
@@ -393,7 +393,7 @@ int input_vaControl( input_thread_t *p_input, int i_query, va_list args )
if ( *pi_title_to_fetch < 0 ) /* query current title if -1 */
*pi_title_to_fetch = var_GetInteger( p_input, "title" );
- if( !priv->i_title || priv->i_title < *pi_title_to_fetch )
+ if( priv->i_title == 0 || priv->i_title <= *pi_title_to_fetch )
{
vlc_mutex_unlock( &priv->p_item->lock );
return VLC_EGENERIC;
More information about the vlc-commits
mailing list