[vlc-devel] commit: Fixed a buffer overread with broken oggs and check alloc values. ( Rémi Denis-Courmont )
git version control
git at videolan.org
Sun Aug 31 14:19:28 CEST 2008
vlc | branch: 0.8.6-bugfix | Rémi Denis-Courmont <rdenis at simphalempin.com> | Sun Aug 31 15:15:21 2008 +0300| [7d6801d2028dbfd8149b1c82de8f18072f28c380] | committer: Rémi Denis-Courmont
Fixed a buffer overread with broken oggs and check alloc values.
Conflicts:
modules/demux/ogg.c
Signed-off-by: Rémi Denis-Courmont <rdenis at simphalempin.com>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=7d6801d2028dbfd8149b1c82de8f18072f28c380
---
modules/demux/ogg.c | 80 +++++++++++++++++++++++++++++++++------------------
1 files changed, 52 insertions(+), 28 deletions(-)
diff --git a/modules/demux/ogg.c b/modules/demux/ogg.c
index 8e8a160..27977ee 100644
--- a/modules/demux/ogg.c
+++ b/modules/demux/ogg.c
@@ -193,6 +193,8 @@ static int Open( vlc_object_t * p_this )
p_demux->pf_demux = Demux;
p_demux->pf_control = Control;
p_demux->p_sys = p_sys = malloc( sizeof( demux_sys_t ) );
+ if( !p_sys )
+ return VLC_ENOMEM;
memset( p_sys, 0, sizeof( demux_sys_t ) );
p_sys->i_bitrate = 0;
@@ -506,7 +508,7 @@ static void Ogg_DecodePacket( demux_t *p_demux,
if( p_stream->b_force_backup )
{
- uint8_t *p_extra;
+ uint8_t *p_sav;
vlc_bool_t b_store_size = VLC_TRUE;
p_stream->i_packets_backup++;
@@ -543,27 +545,34 @@ static void Ogg_DecodePacket( demux_t *p_demux,
/* Backup the ogg packet (likely an header packet) */
p_stream->p_headers =
- realloc( p_stream->p_headers, p_stream->i_headers +
+ realloc( p_sav = p_stream->p_headers, p_stream->i_headers +
p_oggpacket->bytes + (b_store_size ? 2 : 0) );
- p_extra = p_stream->p_headers + p_stream->i_headers;
- if( b_store_size )
+ if( p_stream->p_headers )
{
- *(p_extra++) = p_oggpacket->bytes >> 8;
- *(p_extra++) = p_oggpacket->bytes & 0xFF;
- }
- memcpy( p_extra, p_oggpacket->packet, p_oggpacket->bytes );
- p_stream->i_headers += p_oggpacket->bytes + (b_store_size ? 2 : 0);
+ uint8_t *p_extra = p_stream->p_headers + p_stream->i_headers;
+ if( b_store_size )
+ {
+ *(p_extra++) = p_oggpacket->bytes >> 8;
+ *(p_extra++) = p_oggpacket->bytes & 0xFF;
+ }
+ memcpy( p_extra, p_oggpacket->packet, p_oggpacket->bytes );
+ p_stream->i_headers += p_oggpacket->bytes + (b_store_size ? 2 : 0);
- if( !p_stream->b_force_backup )
+ if( !p_stream->b_force_backup )
+ {
+ /* Last header received, commit changes */
+ p_stream->fmt.i_extra = p_stream->i_headers;
+ p_stream->fmt.p_extra =
+ realloc( p_stream->fmt.p_extra, p_stream->i_headers );
+ memcpy( p_stream->fmt.p_extra, p_stream->p_headers,
+ p_stream->i_headers );
+ es_out_Control( p_demux->out, ES_OUT_SET_FMT,
+ p_stream->p_es, &p_stream->fmt );
+ }
+ }
+ else
{
- /* Last header received, commit changes */
- p_stream->fmt.i_extra = p_stream->i_headers;
- p_stream->fmt.p_extra =
- realloc( p_stream->fmt.p_extra, p_stream->i_headers );
- memcpy( p_stream->fmt.p_extra, p_stream->p_headers,
- p_stream->i_headers );
- es_out_Control( p_demux->out, ES_OUT_SET_FMT,
- p_stream->p_es, &p_stream->fmt );
+ p_stream->p_headers = p_sav;
}
b_selected = VLC_FALSE; /* Discard the header packet */
@@ -739,12 +748,22 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
* We found the beginning of our first logical stream. */
while( ogg_page_bos( &oggpage ) )
{
+ logical_stream_t **pp_sav = p_ogg->pp_stream;
+
p_ogg->i_streams++;
p_ogg->pp_stream =
realloc( p_ogg->pp_stream, p_ogg->i_streams *
sizeof(logical_stream_t *) );
+ if( !p_ogg->pp_stream )
+ {
+ p_ogg->pp_stream = pp_sav;
+ p_ogg->i_streams--;
+ return VLC_ENOMEM;
+ }
p_stream = malloc( sizeof(logical_stream_t) );
+ if( !p_stream )
+ return VLC_ENOMEM;
memset( p_stream, 0, sizeof(logical_stream_t) );
p_stream->p_headers = 0;
p_stream->secondary_header_packets = 0;
@@ -916,12 +935,15 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
p_stream->fmt.i_cat = AUDIO_ES;
i_extra_size = GetWLE((oggpacket.packet+140));
- if( i_extra_size )
+ if( i_extra_size > 0 && i_extra_size < oggpacket.bytes - 142 )
{
p_stream->fmt.i_extra = i_extra_size;
p_stream->fmt.p_extra = malloc( i_extra_size );
- memcpy( p_stream->fmt.p_extra,
- oggpacket.packet + 142, i_extra_size );
+ if( p_stream->fmt.p_extra )
+ memcpy( p_stream->fmt.p_extra,
+ oggpacket.packet + 142, i_extra_size );
+ else
+ p_stream->fmt.i_extra = 0;
}
i_format_tag = GetWLE((oggpacket.packet+124));
@@ -1016,14 +1038,16 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
/* We need to get rid of the header packet */
ogg_stream_packetout( &p_stream->os, &oggpacket );
- p_stream->fmt.i_extra = GetQWLE(&st->size) -
- sizeof(stream_header);
- if( p_stream->fmt.i_extra )
+ p_stream->fmt.i_extra = GetQWLE(&st->size) - sizeof(stream_header);
+ if( p_stream->fmt.i_extra > 0 &&
+ p_stream->fmt.i_extra < oggpacket.bytes - 1 - sizeof(stream_header) )
{
- p_stream->fmt.p_extra =
- malloc( p_stream->fmt.i_extra );
- memcpy( p_stream->fmt.p_extra, st + 1,
- p_stream->fmt.i_extra );
+ p_stream->fmt.p_extra = malloc( p_stream->fmt.i_extra );
+ if( p_stream->fmt.p_extra )
+ memcpy( p_stream->fmt.p_extra, st + 1,
+ p_stream->fmt.i_extra );
+ else
+ p_stream->fmt.i_extra = 0;
}
memcpy( p_buffer, st->subtype, 4 );
More information about the vlc-devel
mailing list