[FFmpeg-cvslog] r10725 - trunk/libavformat/oggparsevorbis.c
mru
subversion
Sat Oct 13 13:43:03 CEST 2007
Author: mru
Date: Sat Oct 13 13:43:03 2007
New Revision: 10725
Log:
simply buffer checks in vorbis_comment()
Modified:
trunk/libavformat/oggparsevorbis.c
Modified: trunk/libavformat/oggparsevorbis.c
==============================================================================
--- trunk/libavformat/oggparsevorbis.c (original)
+++ trunk/libavformat/oggparsevorbis.c Sat Oct 13 13:43:03 2007
@@ -34,36 +34,32 @@ extern int
vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
{
uint8_t *p = buf;
+ uint8_t *end = buf + size;
unsigned s, n, j;
if (size < 8) /* must have vendor_length and user_comment_list_length */
return -1;
s = bytestream_get_le32(&p);
- size -= 4;
- if (size - 4 < s)
+ if (end - p < s)
return -1;
p += s;
- size -= s;
n = bytestream_get_le32(&p);
- size -= 4;
- while (size >= 4) {
+ while (p < end && n > 0) {
char *t, *v;
int tl, vl;
s = bytestream_get_le32(&p);
- size -= 4;
- if (size < s)
+ if (end - p < s)
break;
t = p;
p += s;
- size -= s;
n--;
v = memchr(t, '=', s);
@@ -103,8 +99,8 @@ vorbis_comment(AVFormatContext * as, uin
}
}
- if (size > 0)
- av_log(as, AV_LOG_INFO, "%i bytes of comment header remain\n", size);
+ if (p != end)
+ av_log(as, AV_LOG_INFO, "%ti bytes of comment header remain\n", p-end);
if (n > 0)
av_log(as, AV_LOG_INFO,
"truncated comment header, %i comments not found\n", n);
More information about the ffmpeg-cvslog
mailing list