[vlc-devel] [PATCH] demux: stl: fix heap-buffer-overflow
Shaleen Jain
shaleen.jain95 at gmail.com
Tue Jul 4 13:23:47 CEST 2017
Oh sorry, I meant; add a guard to prevent attempting allocation if we
have 0 elements.
Zero elements are not valid and allocating 0 stl_entry_t may or may
not return a NULL pointer.
Regards,
Shaleen Jain
On Tue, Jul 4, 2017 at 4:41 PM, Rémi Denis-Courmont <remi at remlab.net>
wrote:
> Le 4 juillet 2017 10:16:41 GMT+03:00, Shaleen Jain
> <shaleen.jain95 at gmail.com> a écrit :
>> According to the spec calloc can return a NULL or a unique pointer
>> value if either of the arguments are 0 depending on the
>> implementation.
>>
>> Add a guard to prevent member access if we get a non-null pointer in
>> the above case.
>> ---
>> modules/demux/stl.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/modules/demux/stl.c b/modules/demux/stl.c
>> index 9a0d5a131e..9d27a79458 100644
>> --- a/modules/demux/stl.c
>> +++ b/modules/demux/stl.c
>> @@ -243,6 +243,8 @@ static int Open(vlc_object_t *object)
>> const mtime_t program_start = ParseTextTimeCode(&header[256],
>> fps);
>> const size_t tti_count = ParseInteger(&header[238], 5);
>> msg_Dbg(demux, "Detected EBU STL : CCT=%d TTI=%zu start=%8.8s
>> %"PRId64, cct, tti_count, &header[256], program_start);
>> + if(!tti_count)
>> + return VLC_EGENERIC;
>>
>> demux_sys_t *sys = malloc(sizeof(*sys));
>> if(!sys)
>
> I am confused by the description here. If 0 elements is a valid
> situation, then the error predicate is wrong as NULL would be
> conditionally valid return.
> --
> Rémi Denis-Courmont
> Typed on an inconvenient virtual keyboard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20170704/4518d43d/attachment.html>
More information about the vlc-devel
mailing list