[vlc-devel] [PATCH] demux/aiff: fix integer overflow leading to infinite loop

Filip Roséen filip at atch.se
Sat Oct 29 00:10:41 CEST 2016 

The previous implementation could potentially overflow the uint32_t
holding the data-size when adding the size of the mandatory header, in
order to consume the entire chunk. If that happened we could end up in
an infinite loop (given that we are not guaranteed to make progress).

These changes fixes the issue by introducing another variable that is
only used for the purpose of storing the chunk (total) size.

fixes #17562

--

I will clean-up the implementation shortly, but thought I would
address this immidiate issue as soon as possible.

The demuxer can be made a lot simpler, and a lot safer.
---
 modules/demux/aiff.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/modules/demux/aiff.c b/modules/demux/aiff.c
index bdd0308..02cc711 100644
--- a/modules/demux/aiff.c
+++ b/modules/demux/aiff.c
@@ -123,14 +123,13 @@ static int Open( vlc_object_t *p_this )
 
     for( ;; )
     {
-        uint32_t i_size;
-
         if( vlc_stream_Peek( p_demux->s, &p_peek, 8 ) < 8 )
             goto error;
 
-        i_size = GetDWBE( &p_peek[4] );
+        uint32_t i_data_size = GetDWBE( &p_peek[4] );
+        ssize_t i_chunk_size = ( i_data_size + 8 + 1 ) ^ 1;
 
-        msg_Dbg( p_demux, "chunk fcc=%4.4s size=%d", p_peek, i_size );
+        msg_Dbg( p_demux, "chunk fcc=%4.4s size=%" PRIu32, p_peek, i_data_size );
 
         if( !memcmp( p_peek, "COMM", 4 ) )
         {
@@ -152,7 +151,7 @@ static int Open( vlc_object_t *p_this )
                 goto error;
 
             p_sys->i_ssnd_pos = vlc_stream_Tell( p_demux->s );
-            p_sys->i_ssnd_size = i_size;
+            p_sys->i_ssnd_size = i_data_size;
             p_sys->i_ssnd_offset = GetDWBE( &p_peek[8] );
             p_sys->i_ssnd_blocksize = GetDWBE( &p_peek[12] );
 
@@ -165,11 +164,8 @@ static int Open( vlc_object_t *p_this )
             break;
         }
 
-        /* Skip this chunk */
-        i_size += 8;
-        if( (i_size % 2) != 0 )
-            i_size++;
-        if( vlc_stream_Read( p_demux->s, NULL, i_size ) != (int)i_size )
+        /* consume chunk */
+        if( vlc_stream_Read( p_demux->s, NULL, i_chunk_size ) != i_chunk_size )
         {
             msg_Warn( p_demux, "incomplete file" );
             goto error;
-- 
2.10.1

More information about the vlc-devel mailing list