projects
/
platform
/
upstream
/
gstreamer.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
939baee
)
riff: prevent crash if rounded up tag size exceeds data size
author
René Stadler
<mail@renestadler.de>
Fri, 26 Jun 2009 21:50:54 +0000
(
00:50
+0300)
committer
René Stadler
<mail@renestadler.de>
Fri, 26 Jun 2009 22:22:52 +0000
(
01:22
+0300)
When rounding up `tsize' exceeds the remaining buffer size, `size' underflows
and an invalid read past the buffer data follows.
gst-libs/gst/riff/riff-read.c
patch
|
blob
|
history
diff --git
a/gst-libs/gst/riff/riff-read.c
b/gst-libs/gst/riff/riff-read.c
index
fe0aa74
..
28f4a80
100644
(file)
--- a/
gst-libs/gst/riff/riff-read.c
+++ b/
gst-libs/gst/riff/riff-read.c
@@
-728,8
+728,11
@@
gst_riff_parse_info (GstElement * element,
}
}
- if (tsize & 1)
+ if (tsize & 1)
{
tsize++;
+ if (tsize > size)
+ tsize = size;
+ }
data += tsize;
size -= tsize;