mplayer.hg: libmpdemux/aviheader.c comparison

comparison libmpdemux/aviheader.c @ 24427:50159082a80b

Check wLongsPerEntry before using it. This fixes a potential crash for some values of it. As a side effect it works around broken callocs with an integer overflow vulnerability, but using MPlayer on such systems should never be assumed to be safe!

author	reimar
date	Thu, 13 Sep 2007 15:18:57 +0000
parents	8d4b1bda30f1
children	f2036002cac3

comparison

equal deleted inserted replaced

-:46a7d8c0aaeb
+:50159082a80b
 stream_read(demuxer->stream, (char *)s->dwReserved, 3*4);
 memset(s->dwReserved, 0, 3*4);
 print_avisuperindex_chunk(s,MSGL_V);
-if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
-mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
-s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
-}
 // Check and fix this useless crap
 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
 }
+if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
+mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
+s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
+}
 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
 // now the real index of indices
 for (i=0; i<s->nEntriesInUse; i++) {

Mercurial > mplayer.hg

comparison libmpdemux/aviheader.c @ 24427:50159082a80b