misc: update: fix buffer overflow in updater

On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)

Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

diff --git a/src/misc/update.c b/src/misc/update.c
index b00eb27bbf79dc78e922472aa6812e329659c9d7..e1257b7d8230e215886e00fa4c462ffead12fa45 100644 (file)
--- a/src/misc/update.c
+++ b/src/misc/update.c
@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
     }
 
     const int64_t i_read = stream_Size( p_stream );
+
+    if( i_read < 0 || i_read >= UINT16_MAX)
+    {
+        msg_Err(p_update->p_libvlc, "Status file too large");
+        goto error;
+    }
+
     psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
     if( !psz_update_data )
         goto error;