[vlc-commits] [Git][videolan/vlc][master] 3 commits: demux: ty: check map_size of overflows

Tue Jan 27 15:02:48 UTC 2026


Steve Lhomme pushed to branch master at VideoLAN / VLC


Commits:
43c7aa9d by François Cartegnie at 2026-01-27T14:41:03+00:00
demux: ty: check map_size of overflows

would create unseekable entries

- - - - -
edf517ac by François Cartegnie at 2026-01-27T14:41:03+00:00
demux: ty: fix offset type

- - - - -
b343f6d7 by François Cartegnie at 2026-01-27T14:41:03+00:00
demux: ty: use calloc

- - - - -


1 changed file:

- modules/demux/ty.c


Changes:

=====================================
modules/demux/ty.c
=====================================
@@ -322,7 +322,7 @@ static int Open(vlc_object_t *p_this)
     /* at this point, we assume we have a valid TY stream */
     msg_Dbg( p_demux, "valid TY stream detected" );
 
-    p_sys = malloc(sizeof(demux_sys_t));
+    p_sys = calloc(1, sizeof(demux_sys_t));
     if( unlikely(p_sys == NULL) )
         return VLC_ENOMEM;
 
@@ -332,7 +332,6 @@ static int Open(vlc_object_t *p_this)
 
     /* create our structure that will hold all data */
     p_demux->p_sys = p_sys;
-    memset(p_sys, 0, sizeof(demux_sys_t));
 
     /* set up our struct (most were zero'd out with the memset above) */
     p_sys->b_first_chunk = true;
@@ -1480,7 +1479,7 @@ static int ty_stream_seek_time(demux_t *p_demux, uint64_t l_seek_time)
     unsigned i_seq_entry = 0;
     unsigned i;
     int i_skip_cnt;
-    int64_t l_cur_pos = vlc_stream_Tell(p_demux->s);
+    uint64_t l_cur_pos = vlc_stream_Tell(p_demux->s);
     unsigned i_cur_part = l_cur_pos / TIVO_PART_LENGTH;
     uint64_t l_seek_secs = l_seek_time / 1000000000;
     uint64_t l_fwd_stamp = 1;
@@ -1631,7 +1630,7 @@ static int parse_master(demux_t *p_demux)
 {
     demux_sys_t *p_sys = p_demux->p_sys;
     uint8_t mst_buf[32];
-    int64_t i_save_pos = vlc_stream_Tell(p_demux->s);
+    uint64_t i_save_pos = vlc_stream_Tell(p_demux->s);
     int64_t i_pts_secs;
 
     /* Note that the entries in the SEQ table in the stream may have
@@ -1651,7 +1650,10 @@ static int parse_master(demux_t *p_demux)
     uint32_t i_map_size = U32_AT(&mst_buf[20]);  /* size of bitmask, in bytes */
     uint32_t i = U32_AT(&mst_buf[28]);   /* size of SEQ table, in bytes */
 
-    p_sys->i_bits_per_seq_entry = i_map_size * 8;
+    if(i_map_size > UINT32_MAX / 8)
+        return VLC_EGENERIC;
+
+    p_sys->i_bits_per_seq_entry = i_map_size * 8U;
     p_sys->i_seq_table_size = i / (8 + i_map_size);
 
     if(p_sys->i_seq_table_size == 0)



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/904fbeb9fae8b921b708004130293136b9918790...b343f6d7b313cad87bc055915f8e59adafedb648

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/904fbeb9fae8b921b708004130293136b9918790...b343f6d7b313cad87bc055915f8e59adafedb648
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance
