[vlc-devel] [PATCH 1/1] twolame: avoid buffer overflow
Rémi Denis-Courmont
remi at remlab.net
Sat Sep 27 21:21:48 CEST 2014
Le samedi 27 septembre 2014, 15:10:48 Tristan Matthews a écrit :
> This should fix a crash reported on #videolan:
> http://pastie.org/private/haevgzk8vqei5gohgov55a
>
> ---
> modules/codec/twolame.c | 22 +++++++++++++++++-----
> 1 file changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/modules/codec/twolame.c b/modules/codec/twolame.c
> index 3257b76..ec5498a 100644
> --- a/modules/codec/twolame.c
> +++ b/modules/codec/twolame.c
> @@ -251,12 +251,24 @@ static int OpenEncoder( vlc_object_t *p_this )
>
> ***************************************************************************
> */ static void Bufferize( encoder_t *p_enc, int16_t *p_in, int i_nb_samples
> ) {
> - int16_t *p_buffer = p_enc->p_sys->p_buffer
> - + (p_enc->p_sys->i_nb_samples
> - * p_enc->fmt_in.audio.i_channels);
> + encoder_sys_t *p_sys = p_enc->p_sys;
> + int16_t *p_buffer = p_sys->p_buffer +
> + (p_sys->i_nb_samples * p_enc->fmt_in.audio.i_channels);
> + const int16_t *p_end = p_sys->p_buffer + ARRAY_SIZE(p_sys->p_buffer);
> + if (p_buffer >= p_end)
> + {
> + msg_Err( p_enc, "buffer full" );
> + return;
> + }
> +
> + int i_copy = i_nb_samples * p_enc->fmt_in.audio.i_channels;
> + if( i_copy + p_buffer > p_end )
This is predicate can only ever be false or undefined.
> + {
> + msg_Err( p_enc, "dropping samples" );
> + i_copy = p_end - p_buffer;
> + }
>
> - memcpy( p_buffer, p_in, i_nb_samples * p_enc->fmt_in.audio.i_channels
> - * sizeof(int16_t) );
> + memcpy( p_buffer, p_in, i_copy * sizeof(int16_t) );
> }
>
> static block_t *Encode( encoder_t *p_enc, block_t *p_aout_buf )
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list