[MPlayer-dev-eng] [PATCH] crash in mp_dvdnav_save_smpi
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Mon Jun 13 19:17:06 CEST 2011
On Mon, Jun 13, 2011 at 04:41:02AM +0200, Gianluigi Tiesi wrote:
> I wrap malloc(size) so the final code is:
>
> p0 = HeapAlloc (GetProcessHeap(), 0, size + (16 + sizeof (void *)));
You definitely _must_ protect this addition against integer overflow.
Failure to do so is likely to cause exploitable bugs (and not only in
code that is already buggy, like this one).
More information about the MPlayer-dev-eng
mailing list