[vlc-devel] [PATCH] Fix stack overflow in ExecuteCommand

Rafaël Carré funman at videolan.org
Sat Dec 17 04:36:27 CET 2011 

Le Thu, 15 Dec 2011 18:17:52 +0000,
Cheng Sun <cheng.sun at ymail.com> a écrit :

> From 1075e863da941207cdab90713baff16c1aad76bd Mon Sep 17 00:00:00 2001
> From: Cheng Sun <chengsun9 at gmail.com>
> Date: Thu, 15 Dec 2011 17:10:52 +0000
> Subject: [PATCH] Fix stack overflow in ExecuteCommand
> 
> ---
>  src/input/vlmshell.c |   27 ++++++++++++++++++++++-----
>  1 files changed, 22 insertions(+), 5 deletions(-)
> 
> diff --git a/src/input/vlmshell.c b/src/input/vlmshell.c
> index ab00d67..71fd952 100644
> --- a/src/input/vlmshell.c
> +++ b/src/input/vlmshell.c
> @@ -847,9 +847,19 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
>                             vlm_message_t **pp_message )
>  {
>      size_t i_command = 0;
> -    char buf[strlen (psz_command) + 1], *psz_buf = buf;
> -    char *ppsz_command[3+sizeof (buf) / 2];
> +    size_t i_command_len = strlen( psz_command );
> +    char *buf = malloc( i_command_len + 1 ), *psz_buf = buf;
> +    size_t i_ppsz_command_len = (3+i_command_len / 2);

Your patch reduce the size of ppsz_command, is that wanted?

> +    char **ppsz_command = malloc( i_ppsz_command_len * sizeof(char *) );
>      vlm_message_t *p_message = NULL;
> +    int i_ret = 0;
> +
> +    if( !psz_buf || !ppsz_command )
> +    {
> +        p_message = vlm_MessageNew( ppsz_command[0],
> +                "Memory allocation failed - command too long?" );

Is it possible to have the command size in the message? (with %zu or something)

> +        goto error;
> +    }
>  
>      /* First, parse the line and cut it */
>      while( *psz_command != '\0' )
> @@ -877,7 +887,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
>              goto error;
>          }
>  
> -        assert (i_command < (sizeof (ppsz_command) / sizeof (ppsz_command[0])));
> +        assert (i_command < i_ppsz_command_len);
>  
>          ppsz_command[i_command] = psz_buf;
>          memcpy (psz_buf, psz_command, psz_temp - psz_command);
> @@ -889,7 +899,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
>          psz_buf += psz_temp - psz_command + 1;
>          psz_command = psz_temp;
>  
> -        assert (buf + sizeof (buf) >= psz_buf);
> +        assert (buf + i_command_len + 1 >= psz_buf);
>      }
>  
>      /*
> @@ -920,13 +930,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
>  
>  success:
>      *pp_message = p_message;
> +    free( buf );
> +    free( ppsz_command );
>      return VLC_SUCCESS;
>  
>  syntax_error:
> -    return ExecuteSyntaxError( ppsz_command[0], pp_message );
> +    i_ret = ExecuteSyntaxError( ppsz_command[0], pp_message );
> +    free( buf );
> +    free( ppsz_command );
> +    return i_ret;
>  
>  error:
>      *pp_message = p_message;
> +    free( buf );
> +    free( ppsz_command );
>      return VLC_EGENERIC;
>  }
>  



-- 
Rafaël Carré

More information about the vlc-devel mailing list