[vlc-devel] [PATCH] block: Fix buffer total size in block_Alloc()
Kaarlo Räihä
kaarlo.raiha at gmail.com
Thu Apr 26 15:19:13 CEST 2012
26. huhtikuuta 2012 15.49 Casian Andrei <skeletk13 at gmail.com> kirjoitti:
> The total size of the buffer (i_size) was initialized with the whole
> allocated size for the block. This fooled block_Realloc() in the case of
> resizing to slightly larger, with the extra size in range from
> 32 to 32 + 80 bytes. block_Realloc() assumed it had enough space left in
> the buffer padding to avoid reallocating memory.
>
> Consequently, the block ended up with a i_buffer field with a value
> larger than the allocated memory around p_buffer.
>
> In the end, this could cause memory corruptions in all sorts of cases.
> In my case, vlc was crashing while encoutering a corrupted mp3 file.
>
Did you see any corrupted text in VLC messages? (like main debug: play3r3b2
...)
> ---
> src/misc/block.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/src/misc/block.c b/src/misc/block.c
> index bed781d..bd62b9d 100644
> --- a/src/misc/block.c
> +++ b/src/misc/block.c
> @@ -133,7 +133,7 @@ block_t *block_Alloc (size_t size)
> if (unlikely(b == NULL))
> return NULL;
>
> - block_Init (b, b + 1, alloc);
> + block_Init (b, b + 1, alloc - sizeof (block_t));
> static_assert ((BLOCK_PADDING % BLOCK_ALIGN) == 0,
> "BLOCK_PADDING must be a multiple of BLOCK_ALIGN");
> b->p_buffer += BLOCK_PADDING + BLOCK_ALIGN - 1;
> --
> 1.7.7
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> http://mailman.videolan.org/listinfo/vlc-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20120426/9284af5f/attachment.html>
More information about the vlc-devel
mailing list