Mercurial > mplayer.hg
diff libmpdemux/aviheader.c @ 24427:50159082a80b
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!
author | reimar |
---|---|
date | Thu, 13 Sep 2007 15:18:57 +0000 |
parents | 8d4b1bda30f1 |
children | f2036002cac3 |
line wrap: on
line diff
--- a/libmpdemux/aviheader.c Thu Sep 13 14:12:06 2007 +0000 +++ b/libmpdemux/aviheader.c Thu Sep 13 15:18:57 2007 +0000 @@ -233,16 +233,16 @@ print_avisuperindex_chunk(s,MSGL_V); + // Check and fix this useless crap + if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { + mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); + s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; + } if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; } - // Check and fix this useless crap - if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { - mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); - s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; - } s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));