[vlc-commits] avi: Fix potential integer overflow
Hugo Beauzée-Luyssen
git at videolan.org
Thu May 23 17:40:43 CEST 2019
vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Fri May 17 13:17:41 2019 +0200| [b96e1a6380368240a156d84617c4379df14b0ec1] | committer: Hugo Beauzée-Luyssen
avi: Fix potential integer overflow
Leading to an out of bound read
https://hackerone.com/reports/501971
https://hackerone.com/reports/484398
(cherry picked from commit 2e7d1075b715e4e7a8772039c9a74b4834e64342)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=b96e1a6380368240a156d84617c4379df14b0ec1
---
modules/demux/avi/avi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 3492485a25..fb1c8e728b 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -944,7 +944,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk,
p_frame->i_buffer--;
}
- if( i_header >= p_frame->i_buffer )
+ if( i_header >= p_frame->i_buffer || tk->i_width_bytes > INT32_MAX - 3 )
{
p_frame->i_buffer = 0;
return p_frame;
@@ -954,7 +954,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk,
p_frame->p_buffer += i_header;
p_frame->i_buffer -= i_header;
- const unsigned int i_stride_bytes = ((( (tk->i_width_bytes << 3) + 31) & ~31) >> 3);
+ const unsigned int i_stride_bytes = (tk->i_width_bytes + 3) & ~3;
if ( !tk->i_width_bytes || !i_stride_bytes )
return p_frame;
More information about the vlc-commits
mailing list