Mercurial > mplayer.hg
comparison libmpdemux/aviheader.c @ 24427:50159082a80b
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!
author | reimar |
---|---|
date | Thu, 13 Sep 2007 15:18:57 +0000 |
parents | 8d4b1bda30f1 |
children | f2036002cac3 |
comparison
equal
deleted
inserted
replaced
24426:46a7d8c0aaeb | 24427:50159082a80b |
---|---|
231 stream_read(demuxer->stream, (char *)s->dwReserved, 3*4); | 231 stream_read(demuxer->stream, (char *)s->dwReserved, 3*4); |
232 memset(s->dwReserved, 0, 3*4); | 232 memset(s->dwReserved, 0, 3*4); |
233 | 233 |
234 print_avisuperindex_chunk(s,MSGL_V); | 234 print_avisuperindex_chunk(s,MSGL_V); |
235 | 235 |
236 if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ | |
237 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); | |
238 s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; | |
239 } | |
240 | |
241 // Check and fix this useless crap | 236 // Check and fix this useless crap |
242 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { | 237 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { |
243 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); | 238 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); |
244 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; | 239 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; |
245 } | 240 } |
241 if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ | |
242 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); | |
243 s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; | |
244 } | |
245 | |
246 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); | 246 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); |
247 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); | 247 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); |
248 | 248 |
249 // now the real index of indices | 249 // now the real index of indices |
250 for (i=0; i<s->nEntriesInUse; i++) { | 250 for (i=0; i<s->nEntriesInUse; i++) { |