[vlc-commits] avi: Fix potential integer overflow
Hugo Beauzée-Luyssen
git at videolan.org
Thu May 23 17:21:13 CEST 2019
vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Fri May 17 13:17:41 2019 +0200| [2e7d1075b715e4e7a8772039c9a74b4834e64342] | committer: Hugo Beauzée-Luyssen
avi: Fix potential integer overflow
Leading to an out of bound read
https://hackerone.com/reports/501971
https://hackerone.com/reports/484398
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=2e7d1075b715e4e7a8772039c9a74b4834e64342
---
modules/demux/avi/avi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index c6198c8c5a..50dc903852 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -815,7 +815,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk,
p_frame->i_buffer--;
}
- if( i_header >= p_frame->i_buffer )
+ if( i_header >= p_frame->i_buffer || tk->bihprops.i_stride > INT32_MAX - 3 )
{
p_frame->i_buffer = 0;
return p_frame;
@@ -825,7 +825,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk,
p_frame->p_buffer += i_header;
p_frame->i_buffer -= i_header;
- const unsigned int i_stride_bytes = ((( (tk->bihprops.i_stride << 3) + 31) & ~31) >> 3);
+ const unsigned int i_stride_bytes = (tk->bihprops.i_stride + 3) & ~3;
if ( !tk->bihprops.i_stride || !i_stride_bytes )
return p_frame;
More information about the vlc-commits
mailing list