[vlc-devel] commit: wav: fix integer overflow (CVE-2008-2430) ( Rémi Denis-Courmont )
git version control
git at videolan.org
Sat Jun 28 23:50:07 CEST 2008
vlc | branch: 0.8.6-bugfix | Rémi Denis-Courmont <rdenis at simphalempin.com> | Sat Jun 28 14:00:57 2008 +0300| [95e2f0ff579a5b987cbde9454aa1fc86080528e2]
wav: fix integer overflow (CVE-2008-2430)
When i_size is sufficiently large, we would overflow malloc(), and then
overwrite the heap with stream_Read().
Bug reported by: Alin Rad Pop, Secunia Research.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=95e2f0ff579a5b987cbde9454aa1fc86080528e2
---
modules/demux/wav.c | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/modules/demux/wav.c b/modules/demux/wav.c
index d0dbeff..401a441 100644
--- a/modules/demux/wav.c
+++ b/modules/demux/wav.c
@@ -104,7 +104,8 @@ static int Open( vlc_object_t * p_this )
demux_sys_t *p_sys;
uint8_t *p_peek;
- unsigned int i_size, i_extended;
+ uint32_t i_size;
+ unsigned int i_extended;
char *psz_name;
WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
@@ -137,7 +138,8 @@ static int Open( vlc_object_t * p_this )
msg_Err( p_demux, "cannot find 'fmt ' chunk" );
goto error;
}
- if( i_size < sizeof( WAVEFORMATEX ) - 2 ) /* XXX -2 isn't a typo */
+ i_size += 2;
+ if( i_size < sizeof( WAVEFORMATEX ) )
{
msg_Err( p_demux, "invalid 'fmt ' chunk" );
goto error;
@@ -145,14 +147,15 @@ static int Open( vlc_object_t * p_this )
stream_Read( p_demux->s, NULL, 8 ); /* Cannot fail */
/* load waveformatex */
- p_wf_ext = malloc( __EVEN( i_size ) + 2 );
+ p_wf_ext = malloc( i_size );
if( p_wf_ext == NULL )
goto error;
p_wf = (WAVEFORMATEX *)p_wf_ext;
p_wf->cbSize = 0;
- if( stream_Read( p_demux->s,
- p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
+ i_size -= 2;
+ if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
+ || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
{
msg_Err( p_demux, "cannot load 'fmt ' chunk" );
goto error;
More information about the vlc-devel
mailing list