[FFmpeg-cvslog] apetag: fix error handling in ff_ape_parse_tag()
Xi Wang
git at videolan.org
Thu Nov 22 15:46:51 CET 2012
ffmpeg | branch: master | Xi Wang <xi.wang at gmail.com> | Wed Nov 14 03:25:41 2012 -0500| [b655cfefafd565590bfc5976b9ce8dd141b3c41c] | committer: Anton Khirnov
apetag: fix error handling in ff_ape_parse_tag()
The following error handling is broken due to signedness.
int file_size;
uint32_t tag_bytes;
int64_t tag_start;
...
tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
if (tag_start < 0) { ... }
Note that tag_bytes is unsigned, which makes the right-hand side of
`tag_start = ...' unsigned, too. The 32-bit unsigned value is then
zero-extended to 64 bits. Therefore, tag_start must be non-negative,
and the check (tag_start < 0) is always false, which breaks the error
handling. This patch fixes the check.
Signed-off-by: Xi Wang <xi.wang at gmail.com>
Signed-off-by: Anton Khirnov <anton at khirnov.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b655cfefafd565590bfc5976b9ce8dd141b3c41c
---
libavformat/apetag.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index 28a3ff7..0d2cb97 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -144,11 +144,11 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
return 0;
}
- tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
- if (tag_start < 0) {
+ if (tag_bytes > file_size - APE_TAG_FOOTER_BYTES) {
av_log(s, AV_LOG_ERROR, "Invalid tag size %u.\n", tag_bytes);
return 0;
}
+ tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
fields = avio_rl32(pb); /* number of fields */
if (fields > 65536) {
More information about the ffmpeg-cvslog
mailing list