41c52fb...
by
Fabian Yamaguchi <email address hidden>
stream_out: rtp: don't use VLA for user controlled data
It should fix a possible invalid memory access
When streaming ogg-files via rtp, an ogg-file can trigger an invalid
write access using an overly long 'configuration' string.
The original code attemps to allocate space to hold the string on the stack
and hence, cannot verify if allocation succeeds. Instead, we now allocate the
buffer on the heap and return if allocation fails.
In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
the size depends on the local variable 'len'. The variable 'len' is
calculated at (0) to be the length of a string contained in a specially
crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
8eab5c9...
by
Fabian Yamaguchi <email address hidden>
demux: mp4: fix buffer overflow in parsing of string boxes.
We ensure that pbox->i_size is never smaller than 8 to avoid an
integer underflow in the third argument of the subsequent call to
memcpy. We also make sure no truncation occurs when passing values
derived from the 64 bit integer p_box->i_size to arguments of malloc
and memcpy that may be 32 bit integers on 32 bit platforms.