[vlc-devel] commit: wav: fix integer overflow (CVE-2008-2430) ( Rémi Denis-Courmont )

git version control git at videolan.org
Sat Jun 28 23:56:08 CEST 2008 

vlc | branch: master | Rémi Denis-Courmont <rdenis at simphalempin.com> | Sat Jun 28 14:00:57 2008 +0300| [3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1]

wav: fix integer overflow (CVE-2008-2430)

When i_size is sufficiently large, we would overflow malloc(), and then
overwrite the heap with stream_Read().

Bug reported by: Alin Rad Pop, Secunia Research.

(cherry-picked from commit 95e2f0ff579a5b987cbde9454aa1fc86080528e2)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1
---

 modules/demux/wav.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/modules/demux/wav.c b/modules/demux/wav.c
index 0c271d3..045344a 100644
--- a/modules/demux/wav.c
+++ b/modules/demux/wav.c
@@ -1,7 +1,7 @@
 /*****************************************************************************
  * wav.c : wav file input module for vlc
  *****************************************************************************
- * Copyright (C) 2001-2007 the VideoLAN team
+ * Copyright (C) 2001-2008 the VideoLAN team
  * $Id$
  *
  * Authors: Laurent Aimar <fenrir at via.ecp.fr>
@@ -106,7 +106,8 @@ static int Open( vlc_object_t * p_this )
     demux_sys_t *p_sys;
 
     const uint8_t *p_peek;
-    unsigned int i_size, i_extended;
+    uint32_t     i_size;
+    unsigned int i_extended;
     const char        *psz_name;
 
     WAVEFORMATEXTENSIBLE *p_wf_ext = NULL;
@@ -139,7 +140,8 @@ static int Open( vlc_object_t * p_this )
         msg_Err( p_demux, "cannot find 'fmt ' chunk" );
         goto error;
     }
-    if( i_size < sizeof( WAVEFORMATEX ) - 2 )   /* XXX -2 isn't a typo */
+    i_size += 2;
+    if( i_size < sizeof( WAVEFORMATEX ) )
     {
         msg_Err( p_demux, "invalid 'fmt ' chunk" );
         goto error;
@@ -147,14 +149,15 @@ static int Open( vlc_object_t * p_this )
     stream_Read( p_demux->s, NULL, 8 );   /* Cannot fail */
 
     /* load waveformatex */
-    p_wf_ext = malloc( __EVEN( i_size ) + 2 );
+    p_wf_ext = malloc( i_size );
     if( p_wf_ext == NULL )
          goto error;
 
     p_wf = (WAVEFORMATEX *)p_wf_ext;
     p_wf->cbSize = 0;
-    if( stream_Read( p_demux->s,
-                     p_wf, __EVEN( i_size ) ) < (int)__EVEN( i_size ) )
+    i_size -= 2;
+    if( stream_Read( p_demux->s, p_wf, i_size ) != (int)i_size
+     || ( ( i_size & 1 ) && stream_Read( p_demux->s, NULL, 1 ) != 1 ) )
     {
         msg_Err( p_demux, "cannot load 'fmt ' chunk" );
         goto error;

More information about the vlc-devel mailing list