From: René Stadler <mail@renestadler.de>
Date: Fri, 26 Jun 2009 21:50:54 +0000 (+0300)
Subject: riff: prevent crash if rounded up tag size exceeds data size
X-Git-Tag: 1.19.3~511^2~9495
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=41b7504e9ce7725a83a23a67de61fa73ceb73b28;p=platform%2Fupstream%2Fgstreamer.git

riff: prevent crash if rounded up tag size exceeds data size

When rounding up `tsize' exceeds the remaining buffer size, `size' underflows
and an invalid read past the buffer data follows.
---

diff --git a/gst-libs/gst/riff/riff-read.c b/gst-libs/gst/riff/riff-read.c
index fe0aa74..28f4a80 100644
--- a/gst-libs/gst/riff/riff-read.c
+++ b/gst-libs/gst/riff/riff-read.c
@@ -728,8 +728,11 @@ gst_riff_parse_info (GstElement * element,
       }
     }
 
-    if (tsize & 1)
+    if (tsize & 1) {
       tsize++;
+      if (tsize > size)
+        tsize = size;
+    }
 
     data += tsize;
     size -= tsize;