[vlc-commits] ps: Fix read buffer overflow

Hugo Beauzée-Luyssen git at videolan.org
Thu May 23 17:40:44 CEST 2019


vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Thu Mar 28 12:38:39 2019 +0100| [e8bd0847e2bd7059e9d484b1c085c92158732675] | committer: Hugo Beauzée-Luyssen

ps: Fix read buffer overflow

https://hackerone.com/reports/504484

(cherry picked from commit de2d56055be37bf4d18ceb1623bb341f69d2d86e)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=e8bd0847e2bd7059e9d484b1c085c92158732675
---

 modules/demux/mpeg/ps.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/demux/mpeg/ps.h b/modules/demux/mpeg/ps.h
index b577eb327a..c4aa75df4e 100644
--- a/modules/demux/mpeg/ps.h
+++ b/modules/demux/mpeg/ps.h
@@ -624,7 +624,10 @@ static inline int ps_psm_fill( ps_psm_t *p_psm, block_t *p_pkt,
     int i_version;
     bool b_single_extension;
 
-    if( !p_psm || p_buffer[3] != PS_STREAM_ID_MAP )
+    // Demux() checks that we have at least 4 bytes, but we need
+    // at least 10 to read up to the info_length field
+    assert(i_buffer >= 4);
+    if( !p_psm || i_buffer < 10 || p_buffer[3] != PS_STREAM_ID_MAP)
         return VLC_EGENERIC;
 
     i_length = GetWBE(&p_buffer[4]) + 6;



More information about the vlc-commits mailing list