1
From fdf622ded070640a924e63a6e630325520d0b567 Mon Sep 17 00:00:00 2001
2
From: reimar <reimar@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
3
Date: Thu, 24 Sep 2009 15:37:09 +0000
4
Subject: [PATCH] Fix possible buffer over-read in vorbis_comment, fix it double to be sure.
5
First, make s signed, so that comparisons against end - p will not be made as
6
unsigned, making the check incorrectly pass if p is beyond end.
7
Also ensure that p will never be > end, so the code is correct also if
10
git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20014 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
12
libavformat/oggparsevorbis.c | 9 +++++----
13
1 files changed, 5 insertions(+), 4 deletions(-)
15
diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
16
index afc3fcb..1ef7365 100644
17
--- a/libavformat/oggparsevorbis.c
18
+++ b/libavformat/oggparsevorbis.c
19
@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
21
const uint8_t *p = buf;
22
const uint8_t *end = buf + size;
27
if (size < 8) /* must have vendor_length and user_comment_list_length */
30
s = bytestream_get_le32(&p);
33
+ if (end - p - 4 < s || s < 0)
38
n = bytestream_get_le32(&p);
40
- while (p < end && n > 0) {
41
+ while (end - p >= 4 && n > 0) {
45
s = bytestream_get_le32(&p);
48
+ if (end - p < s || s < 0)