From 41b7504e9ce7725a83a23a67de61fa73ceb73b28 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ren=C3=A9=20Stadler?= <mail@renestadler.de>
Date: Sat, 27 Jun 2009 00:50:54 +0300
Subject: [PATCH] riff: prevent crash if rounded up tag size exceeds data size

When rounding up `tsize' exceeds the remaining buffer size, `size' underflows
and an invalid read past the buffer data follows.
---
 gst-libs/gst/riff/riff-read.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gst-libs/gst/riff/riff-read.c b/gst-libs/gst/riff/riff-read.c
index fe0aa74..28f4a80 100644
--- a/gst-libs/gst/riff/riff-read.c
+++ b/gst-libs/gst/riff/riff-read.c
@@ -728,8 +728,11 @@ gst_riff_parse_info (GstElement * element,
       }
     }
 
-    if (tsize & 1)
+    if (tsize & 1) {
       tsize++;
+      if (tsize > size)
+        tsize = size;
+    }
 
     data += tsize;
     size -= tsize;
-- 
2.7.4