riff: prevent crash if rounded up tag size exceeds data size

author René Stadler <mail@renestadler.de>

Fri, 26 Jun 2009 21:50:54 +0000 (00:50 +0300)

committer René Stadler <mail@renestadler.de>

Fri, 26 Jun 2009 22:22:52 +0000 (01:22 +0300)
author René Stadler <mail@renestadler.de>
Fri, 26 Jun 2009 21:50:54 +0000 (00:50 +0300)
committer René Stadler <mail@renestadler.de>
Fri, 26 Jun 2009 22:22:52 +0000 (01:22 +0300)
diff --git a/gst-libs/gst/riff/riff-read.c b/gst-libs/gst/riff/riff-read.c

index fe0aa74..28f4a80 100644 (file)
--- a/gst-libs/gst/riff/riff-read.c
+++ b/gst-libs/gst/riff/riff-read.c
@@ -728,8 +728,11 @@ gst_riff_parse_info (GstElement * element,
        }
      }
  
-    if (tsize & 1)
+    if (tsize & 1) {
        tsize++;
+      if (tsize > size)
+        tsize = size;
+    }
  
      data += tsize;
      size -= tsize;
author	René Stadler <mail@renestadler.de>
	Fri, 26 Jun 2009 21:50:54 +0000 (00:50 +0300)
committer	René Stadler <mail@renestadler.de>
	Fri, 26 Jun 2009 22:22:52 +0000 (01:22 +0300)