]> git.sesse.net Git - vlc/commitdiff
projects / vlc / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 56acdf5)
Real: fix integer overflow
authorRémi Denis-Courmont <rdenis@simphalempin.com>
Mon, 17 Nov 2008 02:18:10 +0000 (04:18 +0200)
committerRémi Denis-Courmont <rdenis@simphalempin.com>
Sun, 30 Nov 2008 11:46:11 +0000 (13:46 +0200)
This is trivially exploitable to run code.

Pointed-out-by: Tobias Klein
modules/demux/real.c patch | blob | history

diff --git a/modules/demux/real.c b/modules/demux/real.c
index f3eb09408b193ffc6d44981eab7b06d0e69ff5ce..e35d46c25fb05dae2ac0140eb8bdb6c27de6bf4b 100644 (file)
--- a/modules/demux/real.c
+++ b/modules/demux/real.c
@@ -928,13 +928,10 @@ static void ReadRealIndex( demux_t *p_demux )
         msg_Dbg( p_demux, "Real Index: Does next index exist? %d ",
                         GetDWBE( &buffer[16] )  );
 
-    p_sys->p_index = 
-            (rm_index_t *)malloc( sizeof( rm_index_t ) * (i_index_count+1) );
+    p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) );
     if( p_sys->p_index == NULL )
         return;
 
-    memset( p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1) );
-
     for( i=0; i<i_index_count; i++ )
     {
         if( stream_Read( p_demux->s, buffer, 14 ) < 14 )
Unnamed repository; edit this file 'description' to name the repository.