[vlc-devel] commit: Fix CVE-2008-4686 (Jean-Paul Saman )

git version control git at videolan.org
Mon Nov 24 15:06:36 CET 2008


vlc | branch: 0.8.6-bugfix | Jean-Paul Saman <jpsaman at videolan.org> | Thu Nov 13 10:09:46 2008 +0100| [e59f6b3dcfbd1a9624100593e214e92b27b6af1c] | committer: Jean-Paul Saman 

Fix CVE-2008-4686

 Signed-Off-By: Jean-Paul Saman <jpsaman at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=e59f6b3dcfbd1a9624100593e214e92b27b6af1c
---

 modules/demux/ty.c |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/modules/demux/ty.c b/modules/demux/ty.c
index fbbc205..267ca1e 100644
--- a/modules/demux/ty.c
+++ b/modules/demux/ty.c
@@ -6,7 +6,7 @@
  * based on code by Christopher Wingert for tivo-mplayer
  * tivo(at)wingert.org, February 2003
  *
- * $Id$
+ * $Id: fbbc2057cd45f8860feb9860566dfca1478d29fa $
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -129,8 +129,8 @@ struct demux_sys_t
   mtime_t         lastVideoPTS;
 
   ty_rec_hdr_t    *rec_hdrs;          /* record headers array */
-  int             i_cur_rec;          /* current record in this chunk */
-  int             i_num_recs;         /* number of recs in this chunk */
+  unsigned        i_cur_rec;          /* current record in this chunk */
+  unsigned        i_num_recs;         /* number of recs in this chunk */
   int             i_seq_rec;          /* record number where seq start is */
   vlc_bool_t      eof;
   vlc_bool_t      b_first_chunk;
@@ -763,7 +763,7 @@ static int ty_stream_seek(demux_t *p_demux, double seek_pct)
 {
     demux_sys_t *p_sys = p_demux->p_sys;
     int64_t seek_pos = p_sys->i_stream_size * seek_pct;
-    int i;
+    unsigned i;
     long l_skip_amt;
 
     /* if we're not seekable, there's nothing to do */
@@ -856,7 +856,8 @@ static void TyClose( vlc_object_t *p_this )
 /* =========================================================================== */
 static int get_chunk_header(demux_t *p_demux)
 {
-    int i_readSize, i_num_recs, i;
+    uint32_t i, i_readSize;
+    unsigned i_num_recs;
     uint8_t packet_header[4];
     uint8_t record_header[16];
     ty_rec_hdr_t *p_rec_hdr;
@@ -914,7 +915,11 @@ static int get_chunk_header(demux_t *p_demux)
     /* parse headers into array */
     if (p_sys->rec_hdrs)
         free(p_sys->rec_hdrs);
-    p_sys->rec_hdrs = malloc(i_num_recs * sizeof(ty_rec_hdr_t));
+    p_sys->rec_hdrs = calloc(i_num_recs, sizeof(ty_rec_hdr_t));
+    if(!p_sys->rec_hdrs){
+        i_num_recs = 0;
+        return;
+    }
     for (i = 0; i < i_num_recs; i++)
     {
         i_readSize = stream_Read( p_demux->s, record_header, 16 );




More information about the vlc-devel mailing list