videolan
/
vlc
mirror of https://gitea.goldendeliverer.com/videolan/vlc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

demux/ty: parse_master: fix off-by-one-read 

If p_sys->i_seq_table_size ends up being zero, the implementation
would later try to read outside of the buffer refered to by
p_sys->seq_table.

Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
pull/55/head
Filip Roséen 9 years ago
committed by Jean-Baptiste Kempf
parent
a5859f2527
commit
2385bd2d8f
1 changed files with 10 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 13
      modules/demux/ty.c

13
modules/demux/ty.c
View File

@ -1624,7 +1624,6 @@ static void parse_master(demux_t *p_demux)
{
demux_sys_t *p_sys = p_demux->p_sys;
uint8_t mst_buf[32];
uint32_t i, i_map_size;
int64_t i_save_pos = vlc_stream_Tell(p_demux->s);
int64_t i_pts_secs;
@ -1639,11 +1638,19 @@ static void parse_master(demux_t *p_demux)
/* parse header info */
vlc_stream_Read(p_demux->s, mst_buf, 32);
i_map_size = U32_AT(&mst_buf[20]); /* size of bitmask, in bytes */
uint32_t i_map_size = U32_AT(&mst_buf[20]); /* size of bitmask, in bytes */
uint32_t i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */
p_sys->i_bits_per_seq_entry = i_map_size * 8;
i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */
p_sys->i_seq_table_size = i / (8 + i_map_size);
if(p_sys->i_seq_table_size == 0)
{
p_sys->seq_table = NULL;
return;
}
/* parse all the entries */
p_sys->seq_table = calloc(p_sys->i_seq_table_size, sizeof(ty_seq_table_t));
if (p_sys->seq_table == NULL)

Write Preview
Loading…
Cancel
Save