[MPlayer-dev-eng] [PATCH] crash in mp_dvdnav_save_smpi

Gianluigi Tiesi mplayer at netfarm.it
Tue Jun 14 02:23:30 CEST 2011


On Mon, Jun 13, 2011 at 07:17:06PM +0200, Reimar Döffinger wrote:
> On Mon, Jun 13, 2011 at 04:41:02AM +0200, Gianluigi Tiesi wrote:
> > I wrap malloc(size) so the final code is:
> > 
> > p0 = HeapAlloc (GetProcessHeap(), 0, size + (16 + sizeof (void *)));
> 
> You definitely _must_ protect this addition against integer overflow.
> Failure to do so is likely to cause exploitable bugs (and not only in
> code that is already buggy, like this one).

yes, sure.
the code comes from mingwex I've only changed it to use HeapAlloc instead
of dynload malloc from crt, so the bug it's still int the original code

I've modified the check:

  if (size == 0)
    return ((void *) 0);

in:

#define WILL_WRAP(size, alignment) (size > (0xffffffff - (alignment + sizeof (void *))))

if ((size == 0) || WILL_WRAP(size, alignment))
    return ((void *) 0);


I'm not sure I should report to mingw devels, they are still unreactive about
suggestions, I have a pending patch for 64bit file ops since a lot
and I doubt someone uses __mingw_aligned_malloc()

Regards

-- 
Gianluigi Tiesi <sherpya at netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/


More information about the MPlayer-dev-eng mailing list