[vlc] Can we trust local fake "registry" file?

tielei.wang tielei.wang at gmail.com
Mon Sep 8 07:12:53 CEST 2008 

Hi, all, 

I'm not sure what the open_registry function in  loader/registry.c is used for,  but a crafted "registry" file could trigger an integer overflow and result in heap overflow.

Look at the code snippets:

    fd = open(localregpathname, O_RDONLY);
    if (fd == -1)
    {
        printf("Creating new registry\n");
        create_registry();
        return;
    }
    read(fd, &reg_size, 4);
    regs=(struct reg_value*)malloc(reg_size*sizeof(struct reg_value));
    head = 0;
    for(i=0; i<reg_size; i++)
    {
        read(fd,&regs[i].type,4);

reg_size is read from a file. If reg_size is huge enough, reg_size*sizeof(struct reg_value) will overflow.

Regards.

2008-09-08 



tielei.wang 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc/attachments/20080908/abb778f6/attachment.html>

More information about the vlc mailing list