[vlc-devel] [PATCH] demux/asf: prevent integer overflow in ASF_NextObject
Filip Roséen
filip at videolabs.io
Sat Jul 16 04:55:02 CEST 2016
Before returning from ASF_NextObject, the former implementation would
simply calculate "p_obj->common.i_object_pos + p_obj->common.i_object_size",
and pass the result to stream_Seek.
Of course this is rather dangerous given that the value of ".i_object_size"
is populated by simply reading the input stream.
This patch fixes that issue.
--
A little testcase to generate a file that would cause VLC to choke:
wget 'https://samples.ffmpeg.org/asf-wmv/welcome3.wmv' -O testcase.wmv
perl -e 'use bigint; print pack "Q", 2**64 - 178795' \
| dd of="testcase.wmv" bs=1 seek=178811 count=8 conv=notrunc
./vlc-devel testcase.wmv
Sorry for the magic constants, but 178811 is the position of the stored size
for an object residing at offset 178795; and as can be calculated, the
modification would previously (before this patch) cause us to stream_Seek back
to offset 0.
md5sum: 745e96b57e6b980e350dbaef66007bd5 welcome3.wmv
---
modules/demux/asf/libasf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/demux/asf/libasf.c b/modules/demux/asf/libasf.c
index c7b3213..16c6832 100644
--- a/modules/demux/asf/libasf.c
+++ b/modules/demux/asf/libasf.c
@@ -156,6 +156,9 @@ static int ASF_NextObject( stream_t *s, asf_object_t *p_obj, uint64_t i_boundary
if( p_obj->common.i_object_size <= 0 )
return VLC_EGENERIC;
+ if( ( UINT64_MAX - p_obj->common.i_object_pos ) < p_obj->common.i_object_size )
+ return VLC_EGENERIC;
+
if( p_obj->common.p_father &&
p_obj->common.p_father->common.i_object_size != 0 )
{
--
2.9.0
More information about the vlc-devel
mailing list