[vlc-devel] [vlc-commits] access: ftp: fix potential invalid write.
Rémi Denis-Courmont
remi at remlab.net
Sat Dec 6 17:54:46 CET 2014
Le vendredi 05 décembre 2014, 23:23:04 Fabian Yamaguchi a écrit :
> vlc | branch: master | Fabian Yamaguchi <fyamagu at gwdg.de> | Fri Dec 5
> 15:04:47 2014 +0100| [11d4770c6616fcb36cf014f4759679ac66ff7540] |
> committer: Jean-Baptiste Kempf
>
> access: ftp: fix potential invalid write.
>
> A buffer based on the length of the string to be sent via ftp was
> allocated on the stack and hence, it could not be verified whether the
> allocation succeeded. Allocate the buffer on the heap instead to avoid
> a potential invalid write in a subsequent memcpy.
>
> Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
>
> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=11d4770c6616fcb36cf
> > 014f4759679ac66ff7540
> ---
>
> modules/access/ftp.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/modules/access/ftp.c b/modules/access/ftp.c
> index 5224e7e..a6b586e 100644
> --- a/modules/access/ftp.c
> +++ b/modules/access/ftp.c
> @@ -151,7 +151,13 @@ static int ftp_SendCommand( vlc_object_t *obj,
> access_sys_t *sys, const char *fmt, ... )
> {
> size_t fmtlen = strlen( fmt );
> - char fmtbuf[fmtlen + 3];
> +
> + if( fmtlen > SIZE_MAX - 3 )
> + return -1;
How on earth can a format string be SIZE_MAX - 3 bytes long? The whole commit
makes absolutely no sense. This needs to be reverted.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list