[vlc-devel] [PATCH] demux/aiff: fix integer overflow leading to infinite loop
Filip Roséen
filip at atch.se
Sat Oct 29 00:21:52 CEST 2016
Hi,
Seems like today is the day where I make a lot of typos and silly
mistakes.. right after sending the patch I realized that the
bitfiddling is of course wrong.
I deeply apologize, and perhaps I could mention that I got news of
illness recently in the family - so my mind is somewhat scattered at
the moment.
-----------------------------------------------------------------------
In order to align something to a boundrary of 2, `(x + 1) & ~1` does
the right thing, `( x + 1 ) ^ 1` does not make any sense whatsoever.
See attached patch for a correct implementation, and the below for a
difference between the previous submitted, and the new one.
- ssize_t i_chunk_size = ( i_data_size + 8 + 1 ) ^ 1;
+ ssize_t i_chunk_size = ( i_data_size + 8 + 1 ) & ~1;
Best regards,\
Filip
-----------------------------------------------------------------------
On 2016-10-29 00:10, Filip Roséen wrote:
> The previous implementation could potentially overflow the uint32_t
> holding the data-size when adding the size of the mandatory header, in
> order to consume the entire chunk. If that happened we could end up in
> an infinite loop (given that we are not guaranteed to make progress).
>
> These changes fixes the issue by introducing another variable that is
> only used for the purpose of storing the chunk (total) size.
>
> fixes #17562
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20161029/34213f8a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-demux-aiff-fix-integer-overflow-leading-to-infinite-.patch
Type: text/x-diff
Size: 2504 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20161029/34213f8a/attachment.patch>
More information about the vlc-devel
mailing list