Skip to content
Permalink
Browse files Browse the repository at this point in the history
misc: update: fix buffer overflow in updater
On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)

Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
  • Loading branch information
Fabian Yamaguchi authored and jbkempf committed Dec 10, 2014
1 parent 3a71b31 commit fbe2837
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/misc/update.c
Expand Up @@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
}

const int64_t i_read = stream_Size( p_stream );

if( i_read < 0 || i_read >= UINT16_MAX)
{
msg_Err(p_update->p_libvlc, "Status file too large");
goto error;
}

psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
if( !psz_update_data )
goto error;
Expand Down

0 comments on commit fbe2837

Please sign in to comment.