[FFmpeg-cvslog] r20014 - trunk/libavformat/oggparsevorbis.c
reimar
subversion
Thu Sep 24 17:37:09 CEST 2009
Author: reimar
Date: Thu Sep 24 17:37:09 2009
New Revision: 20014
Log:
Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.
Modified:
trunk/libavformat/oggparsevorbis.c
Modified: trunk/libavformat/oggparsevorbis.c
==============================================================================
--- trunk/libavformat/oggparsevorbis.c Thu Sep 24 17:13:34 2009 (r20013)
+++ trunk/libavformat/oggparsevorbis.c Thu Sep 24 17:37:09 2009 (r20014)
@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uin
{
const uint8_t *p = buf;
const uint8_t *end = buf + size;
- unsigned s, n, j;
+ unsigned n, j;
+ int s;
if (size < 8) /* must have vendor_length and user_comment_list_length */
return -1;
s = bytestream_get_le32(&p);
- if (end - p < s)
+ if (end - p - 4 < s || s < 0)
return -1;
p += s;
n = bytestream_get_le32(&p);
- while (p < end && n > 0) {
+ while (end - p >= 4 && n > 0) {
const char *t, *v;
int tl, vl;
s = bytestream_get_le32(&p);
- if (end - p < s)
+ if (end - p < s || s < 0)
break;
t = p;
More information about the ffmpeg-cvslog
mailing list