From 972c5f9e10107650e9fb3544f22ce1e8370e9d80 Mon Sep 17 00:00:00 2001
From: =?utf8?q?M=C3=A5ns=20Rullg=C3=A5rd?= <mans@mansr.com>
Date: Sat, 13 Oct 2007 11:43:03 +0000
Subject: [PATCH] simply buffer checks in vorbis_comment()

Originally committed as revision 10725 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/oggparsevorbis.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index a89e881..e60efda 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -34,36 +34,32 @@ extern int
 vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
 {
     uint8_t *p = buf;
+    uint8_t *end = buf + size;
     unsigned s, n, j;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
-    size -= 4;
 
-    if (size - 4 < s)
+    if (end - p < s)
         return -1;
 
     p += s;
-    size -= s;
 
     n = bytestream_get_le32(&p);
-    size -= 4;
 
-    while (size >= 4) {
+    while (p < end && n > 0) {
         char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
-        size -= 4;
 
-        if (size < s)
+        if (end - p < s)
             break;
 
         t = p;
         p += s;
-        size -= s;
         n--;
 
         v = memchr(t, '=', s);
@@ -103,8 +99,8 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
         }
     }
 
-    if (size > 0)
-        av_log(as, AV_LOG_INFO, "%i bytes of comment header remain\n", size);
+    if (p != end)
+        av_log(as, AV_LOG_INFO, "%ti bytes of comment header remain\n", p-end);
     if (n > 0)
         av_log(as, AV_LOG_INFO,
                "truncated comment header, %i comments not found\n", n);
-- 
2.7.4