[vlc-devel] [RFC 10/38] demux/stl.c: fix potential off-by-one read

[Filip Roséen]

accessing "&sys->index[0]" is only valid as long as tti_count is larger
than zero, as such a branch has been introduced to protect the relevant
section of the code.
---
 modules/demux/stl.c | 60 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 32 insertions(+), 28 deletions(-)

diff --git a/modules/demux/stl.c b/modules/demux/stl.c
index 88b6803..02d0518 100644
--- a/modules/demux/stl.c
+++ b/modules/demux/stl.c
@@ -194,36 +194,40 @@ static int Open(vlc_object_t *object)
     }
 
     bool comment = false;
-    stl_entry_t *s = &sys->index[0];
-    s->count = 0;
-
-    for (int i = 0; i < tti_count; i++) {
-        uint8_t tti[16];
-        if (stream_Read(demux->s, tti, 16) != 16 ||
-            stream_Read(demux->s, NULL, 112) != 112) {
-            msg_Warn(demux, "Incomplete EBU STL file");
-            break;
-        }
-        const int ebn = tti[3];
-        if (ebn >= 0xf0 && ebn <= 0xfd)
-            continue;
-        if (ebn == 0xfe)
-            continue;
-
-        if (s->count <= 0) {
-            comment  = tti[15] != 0;
-            s->start = ParseTimeCode(&tti[5], fps) - program_start;
-            s->stop  = ParseTimeCode(&tti[9], fps) - program_start;
-            s->index = i;
+
+    if( tti_count > 0 )
+    {
+        stl_entry_t *s = &sys->index[0];
+        s->count = 0;
+
+        for (int i = 0; i < tti_count; i++) {
+            uint8_t tti[16];
+            if (stream_Read(demux->s, tti, 16) != 16 ||
+                stream_Read(demux->s, NULL, 112) != 112) {
+                msg_Warn(demux, "Incomplete EBU STL file");
+                break;
+            }
+            const int ebn = tti[3];
+            if (ebn >= 0xf0 && ebn <= 0xfd)
+                continue;
+            if (ebn == 0xfe)
+                continue;
+
+            if (s->count <= 0) {
+                comment  = tti[15] != 0;
+                s->start = ParseTimeCode(&tti[5], fps) - program_start;
+                s->stop  = ParseTimeCode(&tti[9], fps) - program_start;
+                s->index = i;
+            }
+            s->count++;
+            if (ebn == 0xff && !comment)
+                s = &sys->index[++sys->count];
+            if (ebn == 0xff && sys->count < tti_count)
+                s->count = 0;
         }
-        s->count++;
-        if (ebn == 0xff && !comment)
-            s = &sys->index[++sys->count];
-        if (ebn == 0xff && sys->count < tti_count)
-            s->count = 0;
+        if (sys->count > 0)
+            stream_Seek(demux->s, 1024 + 128LL * sys->index[0].index);
     }
-    if (sys->count > 0)
-        stream_Seek(demux->s, 1024 + 128LL * sys->index[0].index);
 
     es_format_t fmt;
     es_format_Init(&fmt, SPU_ES, VLC_CODEC_EBU_STL);
-- 
2.9.0