[vlc-commits] avi: Fix potential integer overflow

Hugo Beauzée-Luyssen git at videolan.org
Thu May 23 17:40:43 CEST 2019


vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Fri May 17 13:17:41 2019 +0200| [b96e1a6380368240a156d84617c4379df14b0ec1] | committer: Hugo Beauzée-Luyssen

avi: Fix potential integer overflow

Leading to an out of bound read

https://hackerone.com/reports/501971
https://hackerone.com/reports/484398

(cherry picked from commit 2e7d1075b715e4e7a8772039c9a74b4834e64342)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=b96e1a6380368240a156d84617c4379df14b0ec1
---

 modules/demux/avi/avi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 3492485a25..fb1c8e728b 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -944,7 +944,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk,
         p_frame->i_buffer--;
     }
 
-    if( i_header >= p_frame->i_buffer )
+    if( i_header >= p_frame->i_buffer || tk->i_width_bytes > INT32_MAX - 3 )
     {
         p_frame->i_buffer = 0;
         return p_frame;
@@ -954,7 +954,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk,
     p_frame->p_buffer += i_header;
     p_frame->i_buffer -= i_header;
 
-    const unsigned int i_stride_bytes = ((( (tk->i_width_bytes << 3) + 31) & ~31) >> 3);
+    const unsigned int i_stride_bytes = (tk->i_width_bytes + 3) & ~3;
 
     if ( !tk->i_width_bytes || !i_stride_bytes )
         return p_frame;



More information about the vlc-commits mailing list