[vlc-commits] avformat: fix heap read overflow and invalid cast
vlc/vlc-2.2 | branch: master | Rémi Denis-Courmont | Fri Aug 28 21:37:17 2015 +0300| [41503d6994ae0cd27a7564ba66e76a5d90adf332] | committer: Jean-Baptiste Kempf avformat: fix heap read overflow and invalid cast avformat needs nul padding after the probe data. (cherry picked from commit 48a017006cc038c9783bccfc1d56f9ec2070fa54) Signed-off-by: Jean-Baptiste Kempf > http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=41503d6994ae0cd27a7564ba66e76a5d90adf332 --- modules/demux/avformat/demux.c | 33 - 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c index df92ea8..2b33de7 100644 --- a/modules/demux/avformat/demux.c +++ b/modules/demux/avformat/demux.c @@ -163,8 +163,24 @@ int OpenDemux( vlc_object_t *p_this ) int64_t i_start_time = -1; bool b_can_seek; char *psz_url; +const uint8_t *peek; int error; +/* Init Probe data */ +pd.buf_size = stream_Peek( p_demux->s, &peek, 2048 + 213 ); +if( pd.buf_size <= 0 ) +{ +msg_Warn( p_demux, "cannot peek" ); +return VLC_EGENERIC; +} + +pd.buf = malloc( pd.buf_size + AVPROBE_PADDING_SIZE ); +if( unlikely(pd.buf == NULL) ) +return VLC_ENOMEM; + +memcpy( pd.buf, peek, pd.buf_size ); +memset( pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE ); + if( p_demux->psz_file ) psz_url = strdup( p_demux->psz_file ); else @@ -177,18 +193,13 @@ int OpenDemux( vlc_object_t *p_this ) if( psz_url != NULL ) msg_Dbg( p_demux, "trying url: %s", psz_url ); -/* Init Probe data */ pd.filename = psz_url; -if( ( pd.buf_size = stream_Peek( p_demux->s, (const uint8_t**)&pd.buf, 2048 + 213 ) ) <= 0 ) -{ -free( psz_url ); -msg_Warn( p_demux, "cannot peek" ); -return VLC_EGENERIC; -} + stream_Control( p_demux->s, STREAM_CAN_SEEK, &b_can_seek ); vlc_init_avformat(p_this); +/* Guess format */ char *psz_format = var_InheritString( p_this, "avformat-format" ); if( psz_format ) { @@ -197,8 +208,12 @@ int OpenDemux( vlc_object_t *p_this ) free( psz_format ); } -/* Guess format */ -if( !fmt && !( fmt = av_probe_input_format( &pd, 1 ) ) ) +if( fmt == NULL ) +fmt = av_probe_input_format( &pd, 1 ); + +free( pd.buf ); + +if( fmt == NULL ) { msg_Dbg( p_demux, "couldn't guess format" ); free( psz_url ); ___ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits
[vlc-commits] avformat: fix heap read overflow and invalid cast
vlc | branch: master | Rémi Denis-Courmont | Fri Aug 28 21:37:17 2015 +0300| [48a017006cc038c9783bccfc1d56f9ec2070fa54] | committer: Rémi Denis-Courmont avformat: fix heap read overflow and invalid cast avformat needs nul padding after the probe data. > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=48a017006cc038c9783bccfc1d56f9ec2070fa54 --- modules/demux/avformat/demux.c | 33 - 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c index 5211aaa..5480af7 100644 --- a/modules/demux/avformat/demux.c +++ b/modules/demux/avformat/demux.c @@ -163,8 +163,24 @@ int OpenDemux( vlc_object_t *p_this ) int64_t i_start_time = -1; bool b_can_seek; char *psz_url; +const uint8_t *peek; int error; +/* Init Probe data */ +pd.buf_size = stream_Peek( p_demux->s, &peek, 2048 + 213 ); +if( pd.buf_size <= 0 ) +{ +msg_Warn( p_demux, "cannot peek" ); +return VLC_EGENERIC; +} + +pd.buf = malloc( pd.buf_size + AVPROBE_PADDING_SIZE ); +if( unlikely(pd.buf == NULL) ) +return VLC_ENOMEM; + +memcpy( pd.buf, peek, pd.buf_size ); +memset( pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE ); + if( p_demux->psz_file ) psz_url = strdup( p_demux->psz_file ); else @@ -177,18 +193,13 @@ int OpenDemux( vlc_object_t *p_this ) if( psz_url != NULL ) msg_Dbg( p_demux, "trying url: %s", psz_url ); -/* Init Probe data */ pd.filename = psz_url; -if( ( pd.buf_size = stream_Peek( p_demux->s, (const uint8_t**)&pd.buf, 2048 + 213 ) ) <= 0 ) -{ -free( psz_url ); -msg_Warn( p_demux, "cannot peek" ); -return VLC_EGENERIC; -} + stream_Control( p_demux->s, STREAM_CAN_SEEK, &b_can_seek ); vlc_init_avformat(p_this); +/* Guess format */ char *psz_format = var_InheritString( p_this, "avformat-format" ); if( psz_format ) { @@ -197,8 +208,12 @@ int OpenDemux( vlc_object_t *p_this ) free( psz_format ); } -/* Guess format */ -if( !fmt && !( fmt = av_probe_input_format( &pd, 1 ) ) ) +if( fmt == NULL ) +fmt = av_probe_input_format( &pd, 1 ); + +free( pd.buf ); + +if( fmt == NULL ) { msg_Dbg( p_demux, "couldn't guess format" ); free( psz_url ); ___ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits