diff options
| author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-09-24 15:37:09 +0000 |
|---|---|---|
| committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-09-24 15:37:09 +0000 |
| commit | 98422c44cf86de6da8f73a7bd80284ed165c5a98 (patch) | |
| tree | 79cf42abd43abd728d71bdaada4045b9fa60efd2 | |
| parent | 595324e143b57a52e2329eb47b84395c70f93087 (diff) | |
| download | ffmpeg-98422c44cf86de6da8f73a7bd80284ed165c5a98.tar.gz | |
Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.
Originally committed as revision 20014 to svn://svn.ffmpeg.org/ffmpeg/trunk
| -rw-r--r-- | libavformat/oggparsevorbis.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index afc3fcb5a6..1ef7365f4a 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size) { const uint8_t *p = buf; const uint8_t *end = buf + size; - unsigned s, n, j; + unsigned n, j; + int s; if (size < 8) /* must have vendor_length and user_comment_list_length */ return -1; s = bytestream_get_le32(&p); - if (end - p < s) + if (end - p - 4 < s || s < 0) return -1; p += s; n = bytestream_get_le32(&p); - while (p < end && n > 0) { + while (end - p >= 4 && n > 0) { const char *t, *v; int tl, vl; s = bytestream_get_le32(&p); - if (end - p < s) + if (end - p < s || s < 0) break; t = p; |