[vlc-commits] ps: Fix read buffer overflow
Hugo Beauzée-Luyssen
git at videolan.org
Thu May 23 17:40:44 CEST 2019
vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Thu Mar 28 12:38:39 2019 +0100| [e8bd0847e2bd7059e9d484b1c085c92158732675] | committer: Hugo Beauzée-Luyssen
ps: Fix read buffer overflow
https://hackerone.com/reports/504484
(cherry picked from commit de2d56055be37bf4d18ceb1623bb341f69d2d86e)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=e8bd0847e2bd7059e9d484b1c085c92158732675
---
modules/demux/mpeg/ps.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/modules/demux/mpeg/ps.h b/modules/demux/mpeg/ps.h
index b577eb327a..c4aa75df4e 100644
--- a/modules/demux/mpeg/ps.h
+++ b/modules/demux/mpeg/ps.h
@@ -624,7 +624,10 @@ static inline int ps_psm_fill( ps_psm_t *p_psm, block_t *p_pkt,
int i_version;
bool b_single_extension;
- if( !p_psm || p_buffer[3] != PS_STREAM_ID_MAP )
+ // Demux() checks that we have at least 4 bytes, but we need
+ // at least 10 to read up to the info_length field
+ assert(i_buffer >= 4);
+ if( !p_psm || i_buffer < 10 || p_buffer[3] != PS_STREAM_ID_MAP)
return VLC_EGENERIC;
i_length = GetWBE(&p_buffer[4]) + 6;
More information about the vlc-commits
mailing list