vlc | branch: master | Filip Roséen <fi...@atch.se> | Mon Feb 20 15:02:11 2017 +0100| [2385bd2d8f4b4c05edbdb657a0ee87cd2f5aa659] | committer: Jean-Baptiste Kempf
demux/ty: parse_master: fix off-by-one-read If p_sys->i_seq_table_size ends up being zero, the implementation would later try to read outside of the buffer refered to by p_sys->seq_table. Signed-off-by: Jean-Baptiste Kempf <j...@videolan.org> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=2385bd2d8f4b4c05edbdb657a0ee87cd2f5aa659 --- modules/demux/ty.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/modules/demux/ty.c b/modules/demux/ty.c index 2079d1d..6f9bffa 100644 --- a/modules/demux/ty.c +++ b/modules/demux/ty.c @@ -1624,7 +1624,6 @@ static void parse_master(demux_t *p_demux) { demux_sys_t *p_sys = p_demux->p_sys; uint8_t mst_buf[32]; - uint32_t i, i_map_size; int64_t i_save_pos = vlc_stream_Tell(p_demux->s); int64_t i_pts_secs; @@ -1639,11 +1638,19 @@ static void parse_master(demux_t *p_demux) /* parse header info */ vlc_stream_Read(p_demux->s, mst_buf, 32); - i_map_size = U32_AT(&mst_buf[20]); /* size of bitmask, in bytes */ + + uint32_t i_map_size = U32_AT(&mst_buf[20]); /* size of bitmask, in bytes */ + uint32_t i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */ + p_sys->i_bits_per_seq_entry = i_map_size * 8; - i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */ p_sys->i_seq_table_size = i / (8 + i_map_size); + if(p_sys->i_seq_table_size == 0) + { + p_sys->seq_table = NULL; + return; + } + /* parse all the entries */ p_sys->seq_table = calloc(p_sys->i_seq_table_size, sizeof(ty_seq_table_t)); if (p_sys->seq_table == NULL) _______________________________________________ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits
