Commit 98422c44 authored by Reimar Döffinger's avatar Reimar Döffinger
Browse files

Fix possible buffer over-read in vorbis_comment, fix it double to be sure.

First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.

Originally committed as revision 20014 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 595324e1
...@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size) ...@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
{ {
const uint8_t *p = buf; const uint8_t *p = buf;
const uint8_t *end = buf + size; const uint8_t *end = buf + size;
unsigned s, n, j; unsigned n, j;
int s;
if (size < 8) /* must have vendor_length and user_comment_list_length */ if (size < 8) /* must have vendor_length and user_comment_list_length */
return -1; return -1;
s = bytestream_get_le32(&p); s = bytestream_get_le32(&p);
if (end - p < s) if (end - p - 4 < s || s < 0)
return -1; return -1;
p += s; p += s;
n = bytestream_get_le32(&p); n = bytestream_get_le32(&p);
while (p < end && n > 0) { while (end - p >= 4 && n > 0) {
const char *t, *v; const char *t, *v;
int tl, vl; int tl, vl;
s = bytestream_get_le32(&p); s = bytestream_get_le32(&p);
if (end - p < s) if (end - p < s || s < 0)
break; break;
t = p; t = p;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment