Mercurial > mplayer.hg

diff libmpdemux/aviheader.c @ 24427:50159082a80b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Check wLongsPerEntry before using it. This fixes a potential crash for some values of it. As a side effect it works around broken callocs with an integer overflow vulnerability, but using MPlayer on such systems should never be assumed to be safe!
author reimar
date Thu, 13 Sep 2007 15:18:57 +0000
parents 8d4b1bda30f1
children f2036002cac3
line wrap: on
line diff
--- a/libmpdemux/aviheader.c	Thu Sep 13 14:12:06 2007 +0000
+++ b/libmpdemux/aviheader.c	Thu Sep 13 15:18:57 2007 +0000
@@ -233,16 +233,16 @@
 	  
       print_avisuperindex_chunk(s,MSGL_V);
       
+      // Check and fix this useless crap
+      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
+          mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
+          s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
+      }
       if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
         mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
         s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
       }
 
-      // Check and fix this useless crap
-      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
-          mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
-          s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
-      }
       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));