From a0a8b8873b42897fea94cbab9b712e3c7b3d60b6 Mon Sep 17 00:00:00 2001 From: Vineeth TM Date: Fri, 13 Nov 2015 10:41:58 +0900 Subject: [PATCH] glsl: fix possible string overrun in gst_glsl_version_profile_from_string given a NULL-terminated string, s. s[i] = '\0'; i++; does not guarentee that s[i] is NULL terminated and thus string operations could read off the end of the array. https://bugzilla.gnome.org/show_bug.cgi?id=758039 --- gst-libs/gst/gl/gstglsl.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/gst-libs/gst/gl/gstglsl.c b/gst-libs/gst/gl/gstglsl.c index d9d74a8e5c..2826622277 100644 --- a/gst-libs/gst/gl/gstglsl.c +++ b/gst-libs/gst/gl/gstglsl.c @@ -245,8 +245,8 @@ gst_glsl_version_profile_from_string (const gchar * string, GstGLSLVersion * version_ret, GstGLSLProfile * profile_ret) { gchar *str, *version_s, *profile_s; - GstGLSLVersion version; - GstGLSLProfile profile; + GstGLSLVersion version = GST_GLSL_VERSION_NONE; + GstGLSLProfile profile = GST_GLSL_PROFILE_NONE; gint i; if (!string) @@ -275,12 +275,14 @@ gst_glsl_version_profile_from_string (const gchar * string, goto error; } - version_s[i] = '\0'; - i++; - profile_s = &version_s[i]; - profile_s = g_strstrip (profile_s); + if (version_s[i] != 0) { + version_s[i] = '\0'; + i++; + profile_s = &version_s[i]; + profile_s = g_strstrip (profile_s); - profile = gst_glsl_profile_from_string (profile_s); + profile = gst_glsl_profile_from_string (profile_s); + } version = gst_glsl_version_from_string (version_s); g_free (str);