vlc | branch: master | Nickolai Zeldovich <[email protected]> | Wed Jan 16 20:03:20 2013 -0500| [dee928705dd32839317dca0e77089b02dd720763] | committer: Rémi Denis-Courmont
modules/services_discovery/sap.c: avoid out-of-bounds write After OpenDemux reads data using stream_Read(), it writes a '\0' to the buffer after the newly-read data, but if the stream returned exactly i_read_max bytes, this '\0' will end up just past the end of the allocated psz_sdp array (see the call to realloc at the beginning of the loop). Adjust the realloc call to allocate this one extra byte. Signed-off-by: Rémi Denis-Courmont <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=dee928705dd32839317dca0e77089b02dd720763 --- modules/services_discovery/sap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/services_discovery/sap.c b/modules/services_discovery/sap.c index a328596..faf5b22 100644 --- a/modules/services_discovery/sap.c +++ b/modules/services_discovery/sap.c @@ -351,7 +351,7 @@ static int OpenDemux( vlc_object_t *p_this ) for( i_len = 0, psz_sdp = NULL; i_len < 65536; ) { const int i_read_max = 1024; - char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max ); + char *psz_sdp_new = realloc( psz_sdp, i_len + i_read_max + 1 ); size_t i_read; if( psz_sdp_new == NULL ) { _______________________________________________ vlc-commits mailing list [email protected] http://mailman.videolan.org/listinfo/vlc-commits
