projects / platform / upstream / libvorbis.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 39f3487)
Correct a potential* comment length sanity check overflow.
authorMonty <xiphmont@xiph.org>
Tue, 7 Jul 2009 22:44:49 +0000 (22:44 +0000)
committerMonty <xiphmont@xiph.org>
Tue, 7 Jul 2009 22:44:49 +0000 (22:44 +0000)
*as defined by the Derf Convention.

svn path=/trunk/vorbis/; revision=16217

lib/info.c patch | blob | history

diff --git a/lib/info.c b/lib/info.c
index a346654..93953d9 100644 (file)
--- a/lib/info.c
+++ b/lib/info.c
@@ -241,7 +241,7 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   int i;
   int vendorlen=oggpack_read(opb,32);
   if(vendorlen<0)goto err_out;
-  if(vendorlen+8>opb->storage)goto err_out;
+  if(vendorlen>opb->storage-8)goto err_out;
   vc->vendor=_ogg_calloc(vendorlen+1,1);
   _v_readstring(opb,vc->vendor,vendorlen);
   i=oggpack_read(opb,32);
@@ -254,7 +254,7 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   for(i=0;i<vc->comments;i++){
     int len=oggpack_read(opb,32);
     if(len<0)goto err_out;
-    if(len+oggpack_bytes(opb)>opb->storage)goto err_out;
+    if(len>opb->storage-oggpack_bytes(opb))goto err_out;
     vc->comment_lengths[i]=len;
     vc->user_comments[i]=_ogg_calloc(len+1,1);
     _v_readstring(opb,vc->user_comments[i],len);
Domain: Multimedia / Media Playback;