Mercurial > libavformat.hg
changeset 5232:ee0eaff74dd3 libavformat
Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.
| author | reimar |
|---|---|
| date | Thu, 24 Sep 2009 15:37:09 +0000 |
| parents | d2e3bc991df4 |
| children | cdb08821fda4 |
| files | oggparsevorbis.c |
| diffstat | 1 files changed, 5 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/oggparsevorbis.c Wed Sep 23 18:22:00 2009 +0000 +++ b/oggparsevorbis.c Thu Sep 24 15:37:09 2009 +0000 @@ -50,27 +50,28 @@ { const uint8_t *p = buf; const uint8_t *end = buf + size; - unsigned s, n, j; + unsigned n, j; + int s; if (size < 8) /* must have vendor_length and user_comment_list_length */ return -1; s = bytestream_get_le32(&p); - if (end - p < s) + if (end - p - 4 < s || s < 0) return -1; p += s; n = bytestream_get_le32(&p); - while (p < end && n > 0) { + while (end - p >= 4 && n > 0) { const char *t, *v; int tl, vl; s = bytestream_get_le32(&p); - if (end - p < s) + if (end - p < s || s < 0) break; t = p;