[MPlayer-dev-eng] [patch] backports/fixes from uoti demux_mkv.c for comp_algo==3

[Yuriy Kaminskiy]

Yuriy Kaminskiy wrote:
> Yuriy Kaminskiy wrote:
>> Reimar Döffinger wrote:
>>> On Thu, Aug 12, 2010 at 09:33:40PM +0400, Yuriy Kaminskiy wrote:
>>>> +        } else if (track->encodings[i].comp_algo == 3) {
>>>> +            modified = 1;
>>>> +            *dest = malloc(*size + track->encodings[i].comp_settings_len);
>>> Integer overflow?
>> No different from zlib code just above? (and a lot code nearby)
>> And there are already allocation for both *size and comp_settings_len.
>> Anyway, updated patches attached (and one more to follow later...)
> Not sure if that is all (and some maybe unnecessary; or solved in more nice
> way), but here it is. On top of "full" series.
> +                *dest = realloc(*dest, *size + AV_LZO_OUTPUT_PADDING);
Hrr, should be INPUT_PADDING. Well, really does not matter.
 free(*dest);
>          } else if (enc->comp_algo == 3) {
[...]
> -            if (*size >= SIZE_MAX - enc->comp_settings_len) {
> +            if (*size >= SIZE_MAX - AV_LZO_OUTPUT_PADDING - enc->comp_settings_len ) {
here too

Fixed version attached.

Just in case, this patch also fixes "enc->comp_settings_len can be negative"
issue from other mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: full.04.demux-mkv-overflows.v2.patch
Type: text/x-diff
Size: 11071 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20100814/3f6601e4/attachment-0001.patch>