Skip to content
Permalink
Browse files Browse the repository at this point in the history
codec: schroedinger: fix potential buffer overflow.
The variable len is a raw 32 bit value read using GetDWBE. If this
value is larger than UINT32_MAX - sizeof(eos), this will cause an
integer overflow in the subsequent call to malloc, and finally a
buffer overflow when calling memcpy. We fix this by checking len
accordingly.

Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
  • Loading branch information
Fabian Yamaguchi authored and jbkempf committed Dec 6, 2014
1 parent ff0fab9 commit 9bb0353
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions modules/codec/schroedinger.c
Expand Up @@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
* is appended to the sequence header to allow guard
* against poor streaming servers */
/* XXX, should this be done using the packetizer ? */

if( len > UINT32_MAX - sizeof( eos ) )
return NULL;

p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
if( !p_enc->fmt_out.p_extra )
return NULL;
Expand Down

0 comments on commit 9bb0353

Please sign in to comment.