vlc | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Thu Mar 28 12:38:39 2019 +0100| [de2d56055be37bf4d18ceb1623bb341f69d2d86e] | committer: Hugo Beauzée-Luyssen
ps: Fix read buffer overflow https://hackerone.com/reports/504484 > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=de2d56055be37bf4d18ceb1623bb341f69d2d86e --- modules/demux/mpeg/ps.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/demux/mpeg/ps.h b/modules/demux/mpeg/ps.h index cfa389e68b..16db3fddb2 100644 --- a/modules/demux/mpeg/ps.h +++ b/modules/demux/mpeg/ps.h @@ -623,7 +623,10 @@ static inline int ps_psm_fill( ps_psm_t *p_psm, block_t *p_pkt, int i_version; bool b_single_extension; - if( !p_psm || p_buffer[3] != PS_STREAM_ID_MAP ) + // Demux() checks that we have at least 4 bytes, but we need + // at least 10 to read up to the info_length field + assert(i_buffer >= 4); + if( !p_psm || i_buffer < 10 || p_buffer[3] != PS_STREAM_ID_MAP) return VLC_EGENERIC; i_length = GetWBE(&p_buffer[4]) + 6; _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
