highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix possible buffer over-read in vorbis_comment, fix it double to be sure.

Browse Source 
First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.

Originally committed as revision 20014 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Reimar Döffinger 2009-09-24 15:37:09 +00:00
parent 595324e143
commit 98422c44cf
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libavformat/oggparsevorbis.c
View File

@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
{ {
const uint8_t *p = buf; const uint8_t *p = buf;
const uint8_t *end = buf + size; const uint8_t *end = buf + size;
unsigned s, n, j; unsigned n, j;
int s;
if (size < 8) /* must have vendor_length and user_comment_list_length */ if (size < 8) /* must have vendor_length and user_comment_list_length */
return -1; return -1;
s = bytestream_get_le32(&p); s = bytestream_get_le32(&p);
if (end - p < s) if (end - p - 4 < s || s < 0)
return -1; return -1;
p += s; p += s;
n = bytestream_get_le32(&p); n = bytestream_get_le32(&p);
while (p < end && n > 0) { while (end - p >= 4 && n > 0) {
const char *t, *v; const char *t, *v;
int tl, vl; int tl, vl;
s = bytestream_get_le32(&p); s = bytestream_get_le32(&p);
if (end - p < s) if (end - p < s || s < 0)
break; break;
t = p; t = p;