[FFmpeg-cvslog] r21711 - in branches/0.5: . libavformat/oggparsevorbis.c

siretart subversion
Tue Feb 9 19:51:11 CET 2010


Author: siretart
Date: Tue Feb  9 19:51:11 2010
New Revision: 21711

Log:
Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.

backported r20014 by reimar

Modified:
   branches/0.5/   (props changed)
   branches/0.5/libavformat/oggparsevorbis.c

Modified: branches/0.5/libavformat/oggparsevorbis.c
==============================================================================
--- branches/0.5/libavformat/oggparsevorbis.c	Tue Feb  9 19:44:49 2010	(r21710)
+++ branches/0.5/libavformat/oggparsevorbis.c	Tue Feb  9 19:51:11 2010	(r21711)
@@ -35,27 +35,28 @@ vorbis_comment(AVFormatContext * as, uin
 {
     const uint8_t *p = buf;
     const uint8_t *end = buf + size;
-    unsigned s, n, j;
+    unsigned n, j;
+    int s;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
 
-    if (end - p < s)
+    if (end - p - 4 < s || s < 0)
         return -1;
 
     p += s;
 
     n = bytestream_get_le32(&p);
 
-    while (p < end && n > 0) {
+    while (end - p >= 4 && n > 0) {
         const char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
 
-        if (end - p < s)
+        if (end - p < s || s < 0)
             break;
 
         t = p;



More information about the ffmpeg-cvslog mailing list