[vlc-commits] demux: avi: fix undefined read (fix #17635)

Sun, 13 Nov 2016 12:02:11 -0800 

vlc | branch: master | Francois Cartegnie <fcvlc...@free.fr> | Sun Nov 13 
19:50:18 2016 +0100| [3fe8d04f223bfca704d83914b9c110d85c9a4f86] | committer: 
Francois Cartegnie

demux: avi: fix undefined read (fix #17635)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=3fe8d04f223bfca704d83914b9c110d85c9a4f86
---

 modules/demux/avi/avi.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 1939b28..e45b5de 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -30,6 +30,7 @@
 #endif
 #include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 
 #include <vlc_common.h>
 #include <vlc_plugin.h>
@@ -2204,7 +2205,7 @@ static int AVI_PacketGetHeader( demux_t *p_demux, 
avi_packet_t *p_pk )
 static int AVI_PacketNext( demux_t *p_demux )
 {
     avi_packet_t    avi_ck;
-    int             i_skip = 0;
+    size_t          i_skip = 0;
 
     if( AVI_PacketGetHeader( p_demux, &avi_ck ) )
     {
@@ -2223,10 +2224,16 @@ static int AVI_PacketNext( demux_t *p_demux )
     }
     else
     {
+        if( avi_ck.i_size > UINT32_MAX - 9 )
+            return VLC_EGENERIC;
         i_skip = __EVEN( avi_ck.i_size ) + 8;
     }
 
-    if( vlc_stream_Read( p_demux->s, NULL, i_skip ) != i_skip )
+    if( i_skip > SSIZE_MAX )
+        return VLC_EGENERIC;
+
+    ssize_t i_ret = vlc_stream_Read( p_demux->s, NULL, i_skip );
+    if( i_ret < 0 || (size_t) i_ret != i_skip )
     {
         return VLC_EGENERIC;
     }

_______________________________________________
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits

Reply via email to