[vlc-devel] [PATCH] codec/jpeg: jpeg_GetProjection: prevent out-of-bound read
Filip Roséen
filip at atch.se
Thu May 18 16:46:05 CEST 2017
We must take ill-formed XMP data into account, as a missing
null-termination of the XMP data leads to a heap-buffer-overflow (as
later parts of the implementation assumes that the data is
null-terminated (as it should be)).
fixes: #18340
---
modules/codec/jpeg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/codec/jpeg.c b/modules/codec/jpeg.c
index 5c26d1fc69..90cd06a18a 100644
--- a/modules/codec/jpeg.c
+++ b/modules/codec/jpeg.c
@@ -301,10 +301,11 @@ static void jpeg_GetProjection(j_decompress_ptr cinfo, video_format_t *fmt)
if (xmp_marker == NULL || xmp_marker->data_length < 32)
return;
- char *psz_rdf = malloc(xmp_marker->data_length - 29);
+ char *psz_rdf = malloc(xmp_marker->data_length - 29 + 1);
if (unlikely(psz_rdf == NULL))
return;
memcpy(psz_rdf, xmp_marker->data + 29, xmp_marker->data_length - 29);
+ psz_rdf[xmp_marker->data_length - 29] = '\0';
/* Try to find the string "GSpherical:Spherical" because the v1
spherical video spec says the tag must be there. */
--
2.12.2
More information about the vlc-devel
mailing list