aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-11-14 03:25:41 -0500
committerAnton Khirnov <anton@khirnov.net>2012-11-21 14:35:26 +0100
commitb655cfefafd565590bfc5976b9ce8dd141b3c41c (patch)
tree9deaab26b20f1fbc2e3e6e51eb6e3f80eaf46aa0 /libavformat
parent17fecb4a59926fc85d76efd0d0405f1aa84e429b (diff)
downloadffmpeg-b655cfefafd565590bfc5976b9ce8dd141b3c41c.tar.gz
apetag: fix error handling in ff_ape_parse_tag()
The following error handling is broken due to signedness. int file_size; uint32_t tag_bytes; int64_t tag_start; ... tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES; if (tag_start < 0) { ... } Note that tag_bytes is unsigned, which makes the right-hand side of `tag_start = ...' unsigned, too. The 32-bit unsigned value is then zero-extended to 64 bits. Therefore, tag_start must be non-negative, and the check (tag_start < 0) is always false, which breaks the error handling. This patch fixes the check. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/apetag.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index 28a3ff7753..0d2cb973fb 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -144,11 +144,11 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
return 0;
}
- tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
- if (tag_start < 0) {
+ if (tag_bytes > file_size - APE_TAG_FOOTER_BYTES) {
av_log(s, AV_LOG_ERROR, "Invalid tag size %u.\n", tag_bytes);
return 0;
}
+ tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
fields = avio_rl32(pb); /* number of fields */
if (fields > 65536) {