[vlc-devel] [vlc-commits] stream_out: rtp: fix invalid memory access (write)
Rémi Denis-Courmont
remi at remlab.net
Sat Dec 6 18:42:59 CET 2014
Le vendredi 05 décembre 2014, 23:23:04 Fabian Yamaguchi a écrit :
> vlc | branch: master | Fabian Yamaguchi <fyamagu at gwdg.de> | Fri Dec 5
> 13:58:24 2014 +0100| [de28a895b22b49e25ad2ae08218812f11e86ab14] |
> committer: Jean-Baptiste Kempf
>
> stream_out: rtp: fix invalid memory access (write)
>
> When streaming ogg-files via rtp, the ogg-file can trigger an invalid
> write access using an overly long 'configuration' string. The original
> code attemps to allocate space to hold the string on the stack and
> hence, cannot verify if allocation succeeds. Instead, we now allocate
> the buffer on the heap and return if allocation fails.
>
> Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
>
> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=de28a895b22b49e25ad
> > 2ae08218812f11e86ab14
> ---
>
> modules/stream_out/rtpfmt.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
> index 8119a36..2f4eb73 100644
> --- a/modules/stream_out/rtpfmt.c
> +++ b/modules/stream_out/rtpfmt.c
> @@ -559,7 +559,14 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t
> *id, const char *fmtp, char *end = strchr(start, ';');
> assert(end != NULL);
> size_t len = end - start;
> - char b64[len + 1];
> +
> + if (len == SIZE_MAX)
> + return VLC_EGENERIC;
So len == SIZE_MAX.
Which means end == start + SIZE_MAX.
Which means that every single possible address is contained within the buffer.
Which includes NULL.
Which is (obviously) undefined.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list