From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Tue, 13 Sep 2011 19:13:44 +0000 (-0400)
Subject: flacdec: fix buffer size checking in get_metadata_size()
X-Git-Tag: v0.8b1~1409
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4c5e7b27d57dd2be777780e840eef9be63242158;p=platform%2Fupstream%2Flibav.git

flacdec: fix buffer size checking in get_metadata_size()

Adds an additional check before reading the next block header and avoids a
potential integer overflow when checking the metadata size against the
remaining buffer size.
---

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index f6d0abe..3eb117a 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -226,9 +226,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
 
     buf += 4;
     do {
+        if (buf_end - buf < 4)
+            return 0;
         ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
         buf += 4;
-        if (buf + metadata_size > buf_end) {
+        if (buf_end - buf < metadata_size) {
             /* need more data in order to read the complete header */
             return 0;
         }