[vlc-devel] [PATCH] demux/aiff: fix integer overflow leading to infinite loop
Filip Roséen
filip at atch.se
Sat Oct 29 09:52:48 CEST 2016
Hi Remi,
On 2016-10-29 10:51, Rémi Denis-Courmont wrote:
> Le lauantaina 29. lokakuuta 2016, 0.10.41 EEST Filip Roséen a écrit :
> > The previous implementation could potentially overflow the uint32_t
> > holding the data-size when adding the size of the mandatory header, in
> > order to consume the entire chunk. If that happened we could end up in
> > an infinite loop (given that we are not guaranteed to make progress).
> >
> > These changes fixes the issue by introducing another variable that is
> > only used for the purpose of storing the chunk (total) size.
> >
> > fixes #17562
> >
> > --
> >
> > I will clean-up the implementation shortly, but thought I would
> > address this immidiate issue as soon as possible.
> >
> > The demuxer can be made a lot simpler, and a lot safer.
> > ---
> > modules/demux/aiff.c | 16 ++++++----------
> > 1 file changed, 6 insertions(+), 10 deletions(-)
> >
> > diff --git a/modules/demux/aiff.c b/modules/demux/aiff.c
> > index bdd0308..02cc711 100644
> > --- a/modules/demux/aiff.c
> > +++ b/modules/demux/aiff.c
> > @@ -123,14 +123,13 @@ static int Open( vlc_object_t *p_this )
> >
> > for( ;; )
> > {
> > - uint32_t i_size;
> > -
> > if( vlc_stream_Peek( p_demux->s, &p_peek, 8 ) < 8 )
> > goto error;
> >
> > - i_size = GetDWBE( &p_peek[4] );
> > + uint32_t i_data_size = GetDWBE( &p_peek[4] );
> > + ssize_t i_chunk_size = ( i_data_size + 8 + 1 ) ^ 1;
>
> On 32-bits, this is undefined overflow if i_data_size > 0x7ffffff6.
Yeah, I replied saying that I am working on a more extensive fix of
the issue (you should see patches on the mailing list shortly)!
> --
> Rémi Denis-Courmont
> Nonsponsored VLC developer
> http://www.remlab.net/CV.pdf
>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20161029/9b40f66d/attachment.html>
More information about the vlc-devel
mailing list