# HG changeset patch
# User mru
# Date 1192275783 0
# Node ID b86ce673781136d226f9e17f0bef4930ff9ef42b
# Parent  a004bd730f70e1dc2ca00ce068f29052cd9ad3b1
simply buffer checks in vorbis_comment()

diff -r a004bd730f70 -r b86ce6737811 oggparsevorbis.c
--- a/oggparsevorbis.c	Sat Oct 13 11:42:06 2007 +0000
+++ b/oggparsevorbis.c	Sat Oct 13 11:43:03 2007 +0000
@@ -34,36 +34,32 @@
 vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
 {
     uint8_t *p = buf;
+    uint8_t *end = buf + size;
     unsigned s, n, j;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
-    size -= 4;
 
-    if (size - 4 < s)
+    if (end - p < s)
         return -1;
 
     p += s;
-    size -= s;
 
     n = bytestream_get_le32(&p);
-    size -= 4;
 
-    while (size >= 4) {
+    while (p < end && n > 0) {
         char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
-        size -= 4;
 
-        if (size < s)
+        if (end - p < s)
             break;
 
         t = p;
         p += s;
-        size -= s;
         n--;
 
         v = memchr(t, '=', s);
@@ -103,8 +99,8 @@
         }
     }
 
-    if (size > 0)
-        av_log(as, AV_LOG_INFO, "%i bytes of comment header remain\n", size);
+    if (p != end)
+        av_log(as, AV_LOG_INFO, "%ti bytes of comment header remain\n", p-end);
     if (n > 0)
         av_log(as, AV_LOG_INFO,
                "truncated comment header, %i comments not found\n", n);