[vlc-devel] [PATCH] block: Fix buffer total size in block_Alloc()

Casian Andrei skeletk13 at gmail.com
Thu Apr 26 19:53:02 CEST 2012 

2012/4/26 Kaarlo Räihä <kaarlo.raiha at gmail.com>:
>
>
> 26. huhtikuuta 2012 15.49 Casian Andrei <skeletk13 at gmail.com> kirjoitti:
>
>> The total size of the buffer (i_size) was initialized with the whole
>> allocated size for the block. This fooled block_Realloc() in the case of
>> resizing to slightly larger, with the extra size in range from
>> 32 to 32 + 80 bytes. block_Realloc() assumed it had enough space left in
>> the buffer padding to avoid reallocating memory.
>>
>> Consequently, the block ended up with a i_buffer field with a value
>> larger than the allocated memory around p_buffer.
>>
>> In the end, this could cause memory corruptions in all sorts of cases.
>> In my case, vlc was crashing while encoutering a corrupted mp3 file.
>
>
> Did you see any corrupted text in VLC messages? (like main debug: play3r3b2
> ...)
No, none of those. After hitting the problematic area of the file,
there were lots of 'emulated startcode' messages, and eventually it
aborted due to memory corruption (caused at some point by
block_Realloc() at mpeg_audio.c:546 followed by memcpy at line 462).

Here's a log http://pastebin.com/2JfYnWux
>
>>
>> ---
>>  src/misc/block.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/src/misc/block.c b/src/misc/block.c
>> index bed781d..bd62b9d 100644
>> --- a/src/misc/block.c
>> +++ b/src/misc/block.c
>> @@ -133,7 +133,7 @@ block_t *block_Alloc (size_t size)
>>     if (unlikely(b == NULL))
>>         return NULL;
>>
>> -    block_Init (b, b + 1, alloc);
>> +    block_Init (b, b + 1, alloc - sizeof (block_t));
>>     static_assert ((BLOCK_PADDING % BLOCK_ALIGN) == 0,
>>                    "BLOCK_PADDING must be a multiple of BLOCK_ALIGN");
>>     b->p_buffer += BLOCK_PADDING + BLOCK_ALIGN - 1;
>> --
>> 1.7.7
>> _______________________________________________
>> vlc-devel mailing list
>> To unsubscribe or modify your subscription options:
>> http://mailman.videolan.org/listinfo/vlc-devel
>
>
>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> http://mailman.videolan.org/listinfo/vlc-devel
>

More information about the vlc-devel mailing list