[vlc-devel] [PATCH] src: input/stream: fix unsigned underflow by avoiding inconsistent state in error case

[david.fuhrmann at gmail.com]

From: David Fuhrmann <dfuhrmann at videolan.org>

The error case i_pos > tk->i_end implies that
p_sys->stream.i_offset > tk->i_end - tk->i_start. This is not allowed
as it leads to unsigned underflows in several places. Thus, i_offset
is set to a sane value.

The underflow needs to be handled in AStreamRefillStream, because it
is allowed to have a temporary out of range i_offset before the
stream is actually refilled.

close #11488
---
 src/input/stream.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/input/stream.c b/src/input/stream.c
index 18e77e2..418069f 100644
--- a/src/input/stream.c
+++ b/src/input/stream.c
@@ -1261,8 +1261,11 @@ static int AStreamSeekStream( stream_t *s, uint64_t i_pos )
         if( p_sys->stream.i_used < STREAM_READ_ATONCE / 2 )
             p_sys->stream.i_used = STREAM_READ_ATONCE / 2;
 
-        if( AStreamRefillStream( s ) && i_pos >= tk->i_end )
+        if( ( AStreamRefillStream( s ) && i_pos >= tk->i_end ) || i_pos > tk->i_end )
+        {
+            p_sys->stream.i_offset = tk->i_end - tk->i_start;
             return VLC_EGENERIC;
+        }
     }
     return VLC_SUCCESS;
 }
@@ -1338,9 +1341,10 @@ static int AStreamRefillStream( stream_t *s )
     stream_track_t *tk = &p_sys->stream.tk[p_sys->stream.i_tk];
 
     /* We read but won't increase i_start after initial start + offset */
+    unsigned i_free_buffer = (tk->i_end < tk->i_start + p_sys->stream.i_offset)
+        ? 0 : tk->i_end - tk->i_start - p_sys->stream.i_offset;
     int i_toread =
-        __MIN( p_sys->stream.i_used, STREAM_CACHE_TRACK_SIZE -
-               (tk->i_end - tk->i_start - p_sys->stream.i_offset) );
+        __MIN( p_sys->stream.i_used, STREAM_CACHE_TRACK_SIZE - i_free_buffer );
     bool b_read = false;
     int64_t i_start, i_stop;
 
-- 
1.8.5.2 (Apple Git-48)