libavcodec.hg: xiph.c comparison

comparison xiph.c @ 6656:b1049dd41dd4 libavcodec

Add checks to ff_split_xiph_headers to ensure that returned header_len and header_start values are always valid. Fixes a crash with http://samples.mplayerhq.hu/ogg/mmw-deadzy.ogg (still does not play though).

author	reimar
date	Sun, 20 Apr 2008 23:33:49 +0000
parents	7595ead28402
children	2574def95b50

comparison

equal deleted inserted replaced

-:22cca5d3173a
+:b1049dd41dd4
 int first_header_size, uint8_t *header_start[3],
 int header_len[3])
 {
 int i, j;
-if (AV_RB16(extradata) == first_header_size) {
+if (extradata_size >= 6 && AV_RB16(extradata) == first_header_size) {
+int overall_len = 6;
 for (i=0; i<3; i++) {
 header_len[i] = AV_RB16(extradata);
 extradata += 2;
 header_start[i] = extradata;
 extradata += header_len[i];
+if (overall_len > extradata_size - header_len[i])
+return -1;
+overall_len += header_len[i];
 }
-} else if (extradata[0] == 2) {
+} else if (extradata_size >= 3 && extradata_size < INT_MAX - 0x1ff && extradata[0] == 2) {
+int overall_len = 3;
 for (i=0,j=1; i<2; i++,j++) {
 header_len[i] = 0;
-for (; j<extradata_size && extradata[j]==0xff; j++) {
+for (; overall_len < extradata_size && extradata[j]==0xff; j++) {
 header_len[i] += 0xff;
+overall_len   += 0xff + 1;
 }
-if (j >= extradata_size)
+overall_len   += extradata[j];
+if (overall_len > extradata_size)
 return -1;
 header_len[i] += extradata[j];
 }
 header_len[2] = extradata_size - header_len[0] - header_len[1] - j;

Mercurial > libavcodec.hg

comparison xiph.c @ 6656:b1049dd41dd4 libavcodec