[vlc-devel] stream_out: rtp: fix invalid memory access (write)

Rémi Denis-Courmont remi at remlab.net
Sun Dec 7 17:25:18 CET 2014


Le samedi 06 décembre 2014, 22:27:55 Fabian Yamaguchi a écrit :
> I sent this information to security at videolan.org as suggested by
> Jean-Baptiste Kempf. I then also sent the patches there. The fact that
> the commits are now discussed on vlc-devel is not under my control.

Look, I do not really care if it's the fault of the author, the committer or 
whomever. The problem is that those patches were proposed and merged with 
obviously neither proper self-review nor proper third party review.

And if you claim that something has a vulnerability, you have better be ready 
to prove it.

> I agree that the SIZE_MAX check is esoteric as a string that spans the
> entire address space will not exist on the target systems. I just added
> it to ensure that an integer overflow cannot occur in the allocation
> regardless of what funny changes the platform introduces over time. Feel
> free to discard the check, if it hurts your eyes, however, the point of
> the patch is to ensure that memory is allocated on the heap and not the
> stack.

No, it is not *only* about SIZE_MAX.
I still fail to see how there can be a stack overflow in SAP and in FTP.

I also strongly suspect the stream_Size() patch will raise an issue in 
Coverity because the fix is somewhat wrong.

Rémi Denis-Courmont

More information about the vlc-devel mailing list