[vlc-commits] codec/jpeg: jpeg_GetProjection: prevent out-of-bound read
Filip Roséen
git at videolan.org
Thu May 18 18:21:14 CEST 2017
vlc | branch: master | Filip Roséen <filip at atch.se> | Thu May 18 16:46:05 2017 +0200| [ce4d1fbde741abdb9358c1d4fade825922ccdc74] | committer: Rémi Denis-Courmont
codec/jpeg: jpeg_GetProjection: prevent out-of-bound read
We must take ill-formed XMP data into account, as a missing
null-termination of the XMP data leads to a heap-buffer-overflow (as
later parts of the implementation assumes that the data is
null-terminated (as it should be)).
fixes: #18340
Signed-off-by: Rémi Denis-Courmont <remi at remlab.net>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ce4d1fbde741abdb9358c1d4fade825922ccdc74
---
modules/codec/jpeg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/codec/jpeg.c b/modules/codec/jpeg.c
index 5c26d1fc69..90cd06a18a 100644
--- a/modules/codec/jpeg.c
+++ b/modules/codec/jpeg.c
@@ -301,10 +301,11 @@ static void jpeg_GetProjection(j_decompress_ptr cinfo, video_format_t *fmt)
if (xmp_marker == NULL || xmp_marker->data_length < 32)
return;
- char *psz_rdf = malloc(xmp_marker->data_length - 29);
+ char *psz_rdf = malloc(xmp_marker->data_length - 29 + 1);
if (unlikely(psz_rdf == NULL))
return;
memcpy(psz_rdf, xmp_marker->data + 29, xmp_marker->data_length - 29);
+ psz_rdf[xmp_marker->data_length - 29] = '\0';
/* Try to find the string "GSpherical:Spherical" because the v1
spherical video spec says the tag must be there. */
More information about the vlc-commits
mailing list