Mercurial > mplayer.hg

changeset 24427:50159082a80b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Check wLongsPerEntry before using it. This fixes a potential crash for some values of it. As a side effect it works around broken callocs with an integer overflow vulnerability, but using MPlayer on such systems should never be assumed to be safe!
author reimar
date Thu, 13 Sep 2007 15:18:57 +0000
parents 46a7d8c0aaeb
children 4691811bd8c7
files libmpdemux/aviheader.c
diffstat 1 files changed, 5 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/libmpdemux/aviheader.c	Thu Sep 13 14:12:06 2007 +0000
+++ b/libmpdemux/aviheader.c	Thu Sep 13 15:18:57 2007 +0000
@@ -233,16 +233,16 @@
 	  
       print_avisuperindex_chunk(s,MSGL_V);
       
+      // Check and fix this useless crap
+      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
+          mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
+          s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
+      }
       if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
         mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
         s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
       }
 
-      // Check and fix this useless crap
-      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
-          mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
-          s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
-      }
       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));