[vlc-devel] commit: Protect against vobsub lines overflow ( Rémi Denis-Courmont )

Sun Dec 7 21:49:38 CET 2008

vlc | branch: master | Rémi Denis-Courmont <rdenis at simphalempin.com> | Sun Dec  7 22:48:40 2008 +0200| [0ce0cc9f619a9f556ed9943de61f775433c5e311] | committer: Rémi Denis-Courmont 

Protect against vobsub lines overflow

(probably impossible in practice as memory would run out first)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=0ce0cc9f619a9f556ed9943de61f775433c5e311
---

 modules/demux/vobsub.c |   41 +++++++++++++++--------------------------
 1 files changed, 15 insertions(+), 26 deletions(-)

diff --git a/modules/demux/vobsub.c b/modules/demux/vobsub.c
index b3a460d..13802ba 100644
--- a/modules/demux/vobsub.c
+++ b/modules/demux/vobsub.c
@@ -34,6 +34,7 @@
 
 #include <errno.h>
 #include <sys/types.h>
+#include <limits.h>
 
 #include <vlc_demux.h>
 #include <vlc_charset.h>
@@ -417,47 +418,35 @@ static int Demux( demux_t *p_demux )
 
 static int TextLoad( text_t *txt, stream_t *s )
 {
-    int   i_line_max;
-
-    /* init txt */
-    i_line_max          = 500;
-    txt->i_line_count   = 0;
-    txt->i_line         = 0;
-    txt->line           = calloc( i_line_max, sizeof( char * ) );
-    if( !txt->line )
-        return VLC_EGENERIC;
+    char **lines = NULL;
+    size_t n = 0;
 
     /* load the complete file */
     for( ;; )
     {
         char *psz = stream_ReadLine( s );
+        char **ppsz_new;
 
-        if( psz == NULL )
+        if( psz == NULL || (n >= INT_MAX/sizeof(char *)) )
             break;
 
-        txt->line[txt->i_line_count++] = psz;
-        if( txt->i_line_count >= i_line_max )
+        ppsz_new = realloc( lines, (n + 1) * sizeof (char *) );
+        if( ppsz_new == NULL )
         {
-            char **ppsz_old = txt->line;
-
-            i_line_max += 100;
-            txt->line = realloc( txt->line, i_line_max * sizeof( char*) );
-            if( !txt->line )
-            {
-                free( ppsz_old );
-                break;
-            }
+            free( psz );
+            break;
         }
+        lines = ppsz_new;
+        lines[n++] = psz;
     }
 
-    if( txt->i_line_count <= 0 )
-    {
-        free( txt->line );
-        return VLC_EGENERIC;
-    }
+    txt->i_line_count = 0;
+    txt->i_line       = n;
+    txt->line         = lines;
 
     return VLC_SUCCESS;
 }
+
 static void TextUnload( text_t *txt )
 {
     int i;


