flacdec: fix buffer size checking in get_metadata_size()

Adds an additional check before reading the next block header and avoids a potential integer overflow when checking the metadata size against the remaining buffer size. (cherry picked from commit 4c5e7b27d57dd2be777780e840eef9be63242158) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Justin Ruggles <justin.ruggles@gmail.com> 2011-09-13 15:13:44 -0400
committer: Reinhard Tartler <siretart@tauware.de> 2012-03-18 17:50:17 +0100
commit: 7fc9aa6d359e6c594a367e4db6366bc661581f56 (patch)
tree: e9ddc5446cae3ceb9099297bffb2558e66d2a307 /libavcodec
parent: ce80957cf10e2ddbdbe6f74912c69228a8efaf35 (diff)
download: ffmpeg-7fc9aa6d359e6c594a367e4db6366bc661581f56.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 1ce8559de6..7331c5cdd1 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -228,9 +228,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
 
     buf += 4;
     do {
+        if (buf_end - buf < 4)
+            return 0;
         ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
         buf += 4;
-        if (buf + metadata_size > buf_end) {
+        if (buf_end - buf < metadata_size) {
             /* need more data in order to read the complete header */
             return 0;
         }
author	Justin Ruggles <justin.ruggles@gmail.com>	2011-09-13 15:13:44 -0400
committer	Reinhard Tartler <siretart@tauware.de>	2012-03-18 17:50:17 +0100
commit	7fc9aa6d359e6c594a367e4db6366bc661581f56 (patch)
tree	e9ddc5446cae3ceb9099297bffb2558e66d2a307 /libavcodec
parent	ce80957cf10e2ddbdbe6f74912c69228a8efaf35 (diff)
download	ffmpeg-7fc9aa6d359e6c594a367e4db6366bc661581f56.tar.gz