On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
}
const int64_t i_read = stream_Size( p_stream );
+
+ if( i_read < 0 || i_read >= UINT16_MAX)
+ {
+ msg_Err(p_update->p_libvlc, "Status file too large");
+ goto error;
+ }
+
psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
if( !psz_update_data )
goto error;