[vlc-commits] [Git][videolan/vlc][3.0.x] 5 commits: mms: use const in mms_ParsePacket()

Jean-Baptiste Kempf (@jbk) gitlab at videolan.org
Wed Jun 5 15:59:55 UTC 2024



Jean-Baptiste Kempf pushed to branch 3.0.x at VideoLAN / VLC


Commits:
f26a1f5d by Thomas Guillem at 2024-06-05T17:57:01+02:00
mms: use const in mms_ParsePacket()

(cherry picked from commit da84f3830856256d64073c31675cba7f6905919f)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

- - - - -
6835f6d1 by Thomas Guillem at 2024-06-05T17:57:01+02:00
mms: decrease i_packet_length in only one place

(cherry picked from commit 67b2b79534d3f6a48a4fc363615a4221993ccc95)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

- - - - -
6a9e214d by Thomas Guillem at 2024-06-05T17:57:01+02:00
mms: return -1 in case of error

The function calling mms_ParsePacket() is expecting -1 (for error) or a
valid positive integer for success.

(cherry picked from commit f1e521b494bc87a254c6a6a47d27a528e35b5ca0)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

- - - - -
e7f98f36 by Thomas Guillem at 2024-06-05T17:57:01+02:00
mms: fix potential integer overflow

That could lead to a heap buffer overflow.

Thanks Andreas Fobian for the security report.

(cherry picked from commit 467b24dd0f9b0b3d8ba11dd813b393892f7f1ed2)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

- - - - -
dd8bfdba by Jean-Baptiste Kempf at 2024-06-05T17:58:05+02:00
Update NEWS for 3.0.21

- - - - -


2 changed files:

- NEWS
- modules/access/mms/mmstu.c


Changes:

=====================================
NEWS
=====================================
@@ -4,10 +4,15 @@ Changes between 3.0.20 and 3.0.21:
 Decoders:
  * Improve Opus ambisonic support
  * Fix some ASS subtitle rendering issues
+ * Fix Opus in MP4 behaviour
+ * Fix VAAPI hw decoding with some drivers
+
+Input:
+ * Add support for HTTP content range handling according to RFC 9110
+ * Fix some HLS Adaptive Streaming not working in audio-only mode
 
 Video Output:
  * Super Resolution scaling with AMD GPUs
- * Add D3D11 option to use NVIDIA TrueHDR to generate HDR from SDR sources
  * The D3D11 HDR option can also turn on/off HDR for all sources regardless of
    the display
  * Improve subtitles rendering on Apple platforms of notably Asian languages
@@ -15,6 +20,7 @@ Video Output:
 
 Video Filter:
  * New AMD VQ Enhancer filter
+ * Add D3D11 option to use NVIDIA TrueHDR to generate HDR from SDR sources
 
 Audio Output:
  * Fix regression on macOS causing crashes when using audio devices
@@ -23,9 +29,6 @@ Audio Output:
 Services Discovery:
  * Fix exposed UPnP directory URL schemes to be compliant with RFC 3986
 
-Input:
- * Add support for HTTP content range handling according to RFC 9110
-
 Contrib:
  * Update FFmpeg to 4.4.4
  * Update dav1d to 1.4.2
@@ -34,6 +37,12 @@ Contrib:
 libVLC:
  * the HWND passed to libvlc_media_player_set_hwnd must have the WS_CLIPCHILDREN
    style set.
+ * Fix crashes when using caopengllayer
+
+Misc:
+ * Fix various warnings, leaks and potential crashes
+ * Fix security integer overflow in MMS module
+
 
 Changes between 3.0.19 and 3.0.20:
 ----------------------------------


=====================================
modules/access/mms/mmstu.c
=====================================
@@ -1253,7 +1253,7 @@ static int  mms_ParseCommand( stream_t *p_access,
 }
 
 static int  mms_ParsePacket( stream_t *p_access,
-                             uint8_t *p_data, size_t i_data,
+                             const uint8_t *p_data, size_t i_data,
                              size_t *pi_used )
 {
     access_sys_t        *p_sys = p_access->p_sys;
@@ -1313,21 +1313,24 @@ static int  mms_ParsePacket( stream_t *p_access,
 #endif
     }
     p_sys->i_packet_seq_num = i_packet_seq_num + 1;
+    i_packet_length -= 8; // don't bother with preheader
 
     if( i_packet_id == p_sys->i_header_packet_id_type )
     {
-        uint8_t *p_reaced = realloc( p_sys->p_header,
-                                     p_sys->i_header + i_packet_length - 8 );
+        size_t new_header_size;
+        if( add_overflow( p_sys->i_header, i_packet_length, &new_header_size ) )
+            return -1;
+        uint8_t *p_reaced = realloc( p_sys->p_header, new_header_size );
         if( !p_reaced )
-            return VLC_ENOMEM;
+            return -1;
 
-        memcpy( &p_reaced[p_sys->i_header], p_data + 8, i_packet_length - 8 );
+        memcpy( &p_reaced[p_sys->i_header], p_data + 8, i_packet_length );
         p_sys->p_header = p_reaced;
-        p_sys->i_header += i_packet_length - 8;
+        p_sys->i_header = new_header_size;
 
 /*        msg_Dbg( p_access,
                  "receive header packet (%d bytes)",
-                 i_packet_length - 8 ); */
+                 i_packet_length ); */
 
         return MMS_PACKET_HEADER;
     }
@@ -1337,15 +1340,15 @@ static int  mms_ParsePacket( stream_t *p_access,
         p_sys->i_media = 0;
         p_sys->i_media_used = 0;
 
-        p_sys->p_media = malloc( i_packet_length - 8 ); // don't bother with preheader
+        p_sys->p_media = malloc( i_packet_length );
         if( !p_sys->p_media )
-            return VLC_ENOMEM;
+            return -1;
 
-        p_sys->i_media = i_packet_length - 8;
+        p_sys->i_media = i_packet_length;
         memcpy( p_sys->p_media, p_data + 8, p_sys->i_media );
 /*        msg_Dbg( p_access,
                  "receive media packet (%d bytes)",
-                 i_packet_length - 8 ); */
+                 i_packet_length ); */
 
         return MMS_PACKET_MEDIA;
     }



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f5a1aa0988e33856ade7660f73259692c5d51cb0...dd8bfdbabe8ae3974ca3864ad3125879f523e3a2

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f5a1aa0988e33856ade7660f73259692c5d51cb0...dd8bfdbabe8ae3974ca3864ad3125879f523e3a2
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance


More information about the vlc-commits mailing list