[vlc-devel] commit: Real: fix integer overflow ( Rémi Denis-Courmont )
git version control
git at videolan.org
Sun Nov 30 12:49:30 CET 2008
vlc | branch: 0.9-bugfix | Rémi Denis-Courmont <rdenis at simphalempin.com> | Mon Nov 17 04:18:10 2008 +0200| [d19de4e9f2211cbe5bde00726b66c47a424f4e07] | committer: Rémi Denis-Courmont
Real: fix integer overflow
This is trivially exploitable to run code.
Pointed-out-by: Tobias Klein
(cherry picked from commit eb9963eb49daa8ab00b5c6986a8ec5294c6b5bf3)
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=d19de4e9f2211cbe5bde00726b66c47a424f4e07
---
modules/demux/real.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/modules/demux/real.c b/modules/demux/real.c
index 7574739..ddfb64d 100644
--- a/modules/demux/real.c
+++ b/modules/demux/real.c
@@ -932,16 +932,13 @@ static void ReadRealIndex( demux_t *p_demux )
msg_Dbg( p_demux, "Real Index: Does next index exist? %d ",
GetDWBE( &buffer[16] ) );
- p_sys->p_index =
- (rm_index_t *)malloc( sizeof( rm_index_t ) * (i_index_count+1) );
+ p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) );
if( p_sys->p_index == NULL )
{
msg_Err( p_demux, "Memory allocation error" );
return;
}
- memset( p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1) );
-
for( i=0; i<i_index_count; i++ )
{
if( stream_Read( p_demux->s, buffer, 14 ) < 14 )
More information about the vlc-devel
mailing list