[vlc-devel] [PATCH] demux/aiff: fix integer overflow leading to infinite loop

Filip Roséen filip at atch.se
Sat Oct 29 00:21:52 CEST 2016


Seems like today is the day where I make a lot of typos and silly
mistakes.. right after sending the patch I realized that the
bitfiddling is of course wrong.

I deeply apologize, and perhaps I could mention that I got news of
illness recently in the family - so my mind is somewhat scattered at
the moment.


In order to align something to a boundrary of 2, `(x + 1) & ~1` does
the right thing, `( x + 1 ) ^ 1` does not make any sense whatsoever.

See attached patch for a correct implementation, and the below for a
difference between the previous submitted, and the new one.

    -        ssize_t i_chunk_size = ( i_data_size + 8 + 1 ) ^ 1;
    +        ssize_t i_chunk_size = ( i_data_size + 8 + 1 ) & ~1;

Best regards,\


On 2016-10-29 00:10, Filip Roséen wrote:

> The previous implementation could potentially overflow the uint32_t
> holding the data-size when adding the size of the mandatory header, in
> order to consume the entire chunk. If that happened we could end up in
> an infinite loop (given that we are not guaranteed to make progress).
> These changes fixes the issue by introducing another variable that is
> only used for the purpose of storing the chunk (total) size.
> fixes #17562
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20161029/34213f8a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-demux-aiff-fix-integer-overflow-leading-to-infinite-.patch
Type: text/x-diff
Size: 2504 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20161029/34213f8a/attachment.patch>

More information about the vlc-devel mailing list