From fbe2837bc80f155c001781041a54c58b5524fc14 Mon Sep 17 00:00:00 2001
From: Fabian Yamaguchi <fyamagu@gwdg.de>
Date: Sat, 6 Dec 2014 13:12:38 +0100
Subject: [PATCH] misc: update: fix buffer overflow in updater

On 32 bit builds, parsing of update status files with a size of
4294967295 or more lead to an integer truncation in a call to malloc
and a subsequent buffer overflow. This happened prior to checking the
files' signature. The commit fixes this by disallowing overly large
status files (above 65k in practice)

Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
---
 src/misc/update.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/misc/update.c b/src/misc/update.c
index b00eb27bbf..e1257b7d82 100644
--- a/src/misc/update.c
+++ b/src/misc/update.c
@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
     }
 
     const int64_t i_read = stream_Size( p_stream );
+
+    if( i_read < 0 || i_read >= UINT16_MAX)
+    {
+        msg_Err(p_update->p_libvlc, "Status file too large");
+        goto error;
+    }
+
     psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
     if( !psz_update_data )
         goto error;
-- 
2.39.2