[vlc-devel] commit: Fix buffer overflow ( Rémi Denis-Courmont )

git version control git at videolan.org
Mon Nov 24 15:06:36 CET 2008


vlc | branch: 0.8.6-bugfix | Rémi Denis-Courmont <rdenis at simphalempin.com> | Tue Nov  4 19:31:17 2008 +0200| [8a64103e80a2a885227cc2d5e01b48b58f9600f6] | committer: Jean-Paul Saman 

Fix buffer overflow

Fix buffer overflow

Pointed-out-by. Tobias Klein <tk at trapkit.de>

Signed-off-by: Jean-Paul Saman <jpsaman at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8a64103e80a2a885227cc2d5e01b48b58f9600f6
---

 modules/access/vcd/cdrom.c |   76 +++++++++++++++++++++----------------------
 1 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/modules/access/vcd/cdrom.c b/modules/access/vcd/cdrom.c
index ee92899..d0ab0af 100644
--- a/modules/access/vcd/cdrom.c
+++ b/modules/access/vcd/cdrom.c
@@ -2,7 +2,7 @@
  * cdrom.c: cdrom tools
  *****************************************************************************
  * Copyright (C) 1998-2001 the VideoLAN team
- * $Id$
+ * $Id: ee928999a13485de72883a8a4d3c33b2c7f8408d $
  *
  * Authors: Johan Bilien <jobi at via.ecp.fr>
  *          Gildas Bazin <gbazin at netcourrier.com>
@@ -835,6 +835,7 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
     char *psz_vcdfile2 = NULL;
     char *psz_cuefile = NULL;
     FILE *cuefile     = NULL;
+    int *p_sectors    = NULL;
     char line[1024];
 
     /* Check if we are dealing with a .cue file */
@@ -872,7 +873,6 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
     cuefile = utf8_fopen( psz_cuefile, "rt" );
     if( cuefile == NULL )
     {
-        i_ret = -1;
         msg_Dbg( p_this, "could not find .cue file" );
         goto error;
     }
@@ -913,58 +913,56 @@ static int OpenVCDImage( vlc_object_t * p_this, const char *psz_dev,
     }
 
     if( p_vcddev->i_vcdimage_handle == -1)
-    {
-        i_ret = -1;
         goto error;
-    }
-    else i_ret = 0;
 
     /* Try to parse the i_tracks and p_sectors info so we can just forget
      * about the cuefile */
-    if( i_ret == 0 )
+    size_t i_tracks = 0;
+
+    while( fgets( line, 1024, cuefile ) )
     {
-        int p_sectors[100];
-        int i_tracks = 0;
-        int i_num;
-        char psz_dummy[10];
+        /* look for a TRACK line */
+        char psz_dummy[9];
+        if( !sscanf( line, "%9s", psz_dummy ) || strcmp(psz_dummy, "TRACK") )
+            continue;
 
+        /* look for an INDEX line */
         while( fgets( line, 1024, cuefile ) )
         {
-            /* look for a TRACK line */
-            if( !sscanf( line, "%9s", psz_dummy ) ||
-                strcmp(psz_dummy, "TRACK") )
-                continue;
-
-            /* look for an INDEX line */
-            while( fgets( line, 1024, cuefile ) )
-            {
-                int i_min, i_sec, i_frame;
+            int i_num, i_min, i_sec, i_frame;
 
-                if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
-                            &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
-                    continue;
+            if( (sscanf( line, "%*9s %2u %2u:%2u:%2u", &i_num,
+                         &i_min, &i_sec, &i_frame ) != 4) || (i_num != 1) )
+                continue;
 
-                i_tracks++;
-                p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
-                msg_Dbg( p_this, "vcd track %i begins at sector:%i",
-                         i_tracks - 1, p_sectors[i_tracks - 1] );
-                break;
-            }
+            int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
+            if (buf == NULL)
+                goto error;
+            p_sectors = buf;
+            p_sectors[i_tracks] = MSF_TO_LBA(i_min, i_sec, i_frame);
+            msg_Dbg( p_this, "vcd track %i begins at sector:%i",
+                     i_tracks, p_sectors[i_tracks] );
+            i_tracks++;
+            break;
         }
-
-        /* fill in the last entry */
-        p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
-                                / VCD_SECTOR_SIZE;
-        msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
-                 i_tracks, p_sectors[i_tracks] );
-        p_vcddev->i_tracks = i_tracks;
-        p_vcddev->p_sectors = malloc( (i_tracks + 1) * sizeof(int) );
-        memcpy( p_vcddev->p_sectors, p_sectors, (i_tracks + 1) * sizeof(int) );
-
     }
 
+    /* fill in the last entry */
+    int *buf = realloc (p_sectors, (i_tracks + 1) * sizeof (int));
+    if (buf == NULL)
+        goto error;
+    p_sectors = buf;
+    p_sectors[i_tracks] = lseek(p_vcddev->i_vcdimage_handle, 0, SEEK_END)
+                                 / VCD_SECTOR_SIZE;
+    msg_Dbg( p_this, "vcd track %i, begins at sector:%i",
+             i_tracks, p_sectors[i_tracks] );
+    p_vcddev->i_tracks = ++i_tracks;
+    p_vcddev->p_sectors = p_sectors;
+    i_ret = 0;
+
 error:
     if( cuefile ) fclose( cuefile );
+    free( p_sectors );
     if( psz_cuefile ) free( psz_cuefile );
     if( psz_vcdfile ) free( psz_vcdfile );
 




More information about the vlc-devel mailing list