[vlc-devel] [PATCH] block: Fix buffer total size in block_Alloc()

Casian Andrei skeletk13 at gmail.com
Sat May 5 18:30:08 CEST 2012 

Ping?

2012/4/26 Casian Andrei <skeletk13 at gmail.com>:
> 2012/4/26 Kaarlo Räihä <kaarlo.raiha at gmail.com>:
>>
>>
>> 26. huhtikuuta 2012 15.49 Casian Andrei <skeletk13 at gmail.com> kirjoitti:
>>
>>> The total size of the buffer (i_size) was initialized with the whole
>>> allocated size for the block. This fooled block_Realloc() in the case of
>>> resizing to slightly larger, with the extra size in range from
>>> 32 to 32 + 80 bytes. block_Realloc() assumed it had enough space left in
>>> the buffer padding to avoid reallocating memory.
>>>
>>> Consequently, the block ended up with a i_buffer field with a value
>>> larger than the allocated memory around p_buffer.
>>>
>>> In the end, this could cause memory corruptions in all sorts of cases.
>>> In my case, vlc was crashing while encoutering a corrupted mp3 file.
>>
>>
>> Did you see any corrupted text in VLC messages? (like main debug: play3r3b2
>> ...)
> No, none of those. After hitting the problematic area of the file,
> there were lots of 'emulated startcode' messages, and eventually it
> aborted due to memory corruption (caused at some point by
> block_Realloc() at mpeg_audio.c:546 followed by memcpy at line 462).
>
> Here's a log http://pastebin.com/2JfYnWux
>>
>>>
>>> ---
>>>  src/misc/block.c |    2 +-
>>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/src/misc/block.c b/src/misc/block.c
>>> index bed781d..bd62b9d 100644
>>> --- a/src/misc/block.c
>>> +++ b/src/misc/block.c
>>> @@ -133,7 +133,7 @@ block_t *block_Alloc (size_t size)
>>>     if (unlikely(b == NULL))
>>>         return NULL;
>>>
>>> -    block_Init (b, b + 1, alloc);
>>> +    block_Init (b, b + 1, alloc - sizeof (block_t));
>>>     static_assert ((BLOCK_PADDING % BLOCK_ALIGN) == 0,
>>>                    "BLOCK_PADDING must be a multiple of BLOCK_ALIGN");
>>>     b->p_buffer += BLOCK_PADDING + BLOCK_ALIGN - 1;
>>> --
>>> 1.7.7
>>> _______________________________________________
>>> vlc-devel mailing list
>>> To unsubscribe or modify your subscription options:
>>> http://mailman.videolan.org/listinfo/vlc-devel
>>
>>
>>
>> _______________________________________________
>> vlc-devel mailing list
>> To unsubscribe or modify your subscription options:
>> http://mailman.videolan.org/listinfo/vlc-devel
>>

More information about the vlc-devel mailing list