[MPlayer-dev-eng] [patch] backports/fixes from uoti demux_mkv.c for comp_algo==3

Reimar Döffinger Reimar.Doeffinger at gmx.de
Thu Aug 12 21:47:59 CEST 2010


On Thu, Aug 12, 2010 at 10:36:46PM +0400, Yuriy Kaminskiy wrote:
> Reimar Döffinger wrote:
> > On Thu, Aug 12, 2010 at 09:33:40PM +0400, Yuriy Kaminskiy wrote:
> >> +        } else if (track->encodings[i].comp_algo == 3) {
> >> +            modified = 1;
> >> +            *dest = malloc(*size + track->encodings[i].comp_settings_len);
> > 
> > Integer overflow?
> No different from zlib code just above? (and a lot code nearby)

That, unfortunately, is more an argument for disabling
the native demuxer than for the patch...

> +            if (*size >= SIZE_MAX - enc->comp_settings_len) {

Due to other mess, comp_settings_len can be < 0, so I fear this
check can not 100% work.
Of course the real fault is insufficient checking when
comp_settings_len is set...


More information about the MPlayer-dev-eng mailing list