[vlc-commits] [Git][videolan/vlc][3.0.x] 4 commits: memstream: handle overflow
Felix Paul Kühne (@fkuehne)
gitlab at videolan.org
Sun Jul 27 08:58:01 UTC 2025
Felix Paul Kühne pushed to branch 3.0.x at VideoLAN / VLC
Commits:
09208d78 by Rémi Denis-Courmont at 2025-07-27T08:32:55+00:00
memstream: handle overflow
(cherry picked from commit cd9085186853ff87f13fb5a1cff42787b7639b63)
Signed-off-by: Thomas Guillem <thomas at gllm.fr>
- - - - -
5a8d8a88 by Rémi Denis-Courmont at 2025-07-27T08:32:55+00:00
memstream: handle overflow
(cherry picked from commit ed7707caffbde23921dedc545694f5d56dd8b877)
Signed-off-by: Thomas Guillem <thomas at gllm.fr>
- - - - -
cddc7aea by Steve Lhomme at 2025-07-27T08:32:55+00:00
memstream: do nothing when writing a length of 0
(cherry picked from commit a3749aa6a159636ca844dd3d75567737fbe83954)
Signed-off-by: Thomas Guillem <thomas at gllm.fr>
- - - - -
da391be5 by Steve Lhomme at 2025-07-27T08:32:55+00:00
memstream: reset ptr on vlc_memstream_close() error
It's easier to spot of NULL pointer dereference than a use after free.
In the POSIX implementation [1] the status of the pointer is undefined on
error. In our implementation it's free'd.
In both cases it's better some to use that pointer value after exiting
vlc_memstream_close().
[1] https://pubs.opengroup.org/onlinepubs/9699919799/functions/open_memstream.html
(cherry picked from commit e957881f713b057b3841a44ec023c404544748d7)
Signed-off-by: Thomas Guillem <thomas at gllm.fr>
- - - - -
1 changed file:
- src/text/memstream.c
Changes:
=====================================
src/text/memstream.c
=====================================
@@ -49,17 +49,26 @@ int vlc_memstream_close(struct vlc_memstream *ms)
int ret;
if (unlikely(stream == NULL))
+ {
+ // was never properly opened
+ ms->ptr = NULL;
return EOF;
+ }
ms->stream = NULL;
ret = ferror(stream);
if (fclose(stream))
+ {
+ // assuming it's free'd by the memstream
+ ms->ptr = NULL;
return EOF;
+ }
if (unlikely(ret))
{
free(ms->ptr);
+ ms->ptr = NULL;
return EOF;
}
return 0;
@@ -71,6 +80,9 @@ size_t vlc_memstream_write(struct vlc_memstream *ms, const void *ptr,
if (unlikely(ms->stream == NULL))
return 0;
+ if (len == 0)
+ return 0;
+
return fwrite(ptr, 1, len, ms->stream);
}
@@ -120,14 +132,26 @@ int vlc_memstream_flush(struct vlc_memstream *ms)
int vlc_memstream_close(struct vlc_memstream *ms)
{
if (ms->error)
+ {
free(ms->ptr);
+ ms->ptr = NULL;
+ }
return ms->error;
}
size_t vlc_memstream_write(struct vlc_memstream *ms, const void *ptr,
size_t len)
{
- char *base = realloc(ms->ptr, ms->length + len + 1u);
+ size_t newlen;
+
+ if (len == 0)
+ return 0;
+
+ if (unlikely(add_overflow(ms->length, len, &newlen))
+ || unlikely(add_overflow(newlen, 1, &newlen)))
+ goto error;
+
+ char *base = realloc(ms->ptr, newlen);
if (unlikely(base == NULL))
goto error;
@@ -159,15 +183,18 @@ int vlc_memstream_vprintf(struct vlc_memstream *ms, const char *fmt,
va_list ap;
char *ptr;
int len;
+ size_t newlen;
va_copy(ap, args);
len = vsnprintf(NULL, 0, fmt, ap);
va_end(ap);
- if (len < 0)
+ if (len < 0
+ || unlikely(add_overflow(ms->length, len, &newlen))
+ || unlikely(add_overflow(newlen, 1, &newlen)))
goto error;
- ptr = realloc(ms->ptr, ms->length + len + 1);
+ ptr = realloc(ms->ptr, newlen);
if (ptr == NULL)
goto error;
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/1763811d7fb7c9ad09fe4598816d09446b3be14f...da391be597edb7bebf1f153eb41d567d6ed0fa64
--
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/1763811d7fb7c9ad09fe4598816d09446b3be14f...da391be597edb7bebf1f153eb41d567d6ed0fa64
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance
More information about the vlc-commits
mailing list