Ticket #1499 (closed defect: fixed)

Opened 2 months ago

Last modified 2 months ago

null dereference in real demuxer

Reported by: drew Assigned to:
Priority: normal Milestone:
Component: Demuxers Version: master
Severity: normal Keywords:
Cc: Platform(s): all
Difficulty: unknown Work status: Not started

Description

In real.c: --- 

 if( fmt.i_codec == VLC_FOURCC('c','o','o','k')
             || fmt.i_codec == VLC_FOURCC('a','t','r','c') )
            {
                tk->i_subpackets =
                    i_subpacket_h * i_frame_size / tk->i_subpacket_size;
                tk->p_subpackets =
                    calloc( tk->i_subpackets, sizeof(block_t *) );
            }
            else if( fmt.i_codec == VLC_FOURCC('2','8','_','8') )
            {
                tk->i_subpackets =
                    i_subpacket_h * i_frame_size / tk->i_coded_frame_size;
                tk->p_subpackets =
                    calloc( tk->i_subpackets, sizeof(block_t *) );
            }

---

i_subpacket_h, i_frame_size, and tk->i_coded_frame_size all come directly from the file. if they're large enough, calloc will return null, leading to a null dereference later.

There are other similar allocations in the file, but those are all allocating a 8 or 16 bit number, which is less likely to cause null to be returned.

Change History

03/11/08 03:06:01 changed by jb

  • status changed from new to closed.
  • resolution set to fixed.

Should be fixed in [1703d8421a3b582da45c837f42e04d1ea0e8d609]