Fix possible buffer over-read in vorbis_comment, fix it double to be sure.

First, make s signed, so that comparisons against end - p will not be made as unsigned, making the check incorrectly pass if p is beyond end. Also ensure that p will never be > end, so the code is correct also if buf is not padded. Originally committed as revision 20014 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2009-09-24 15:37:09 +0000
committer: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2009-09-24 15:37:09 +0000
commit: 98422c44cf86de6da8f73a7bd80284ed165c5a98 (patch)
tree: 79cf42abd43abd728d71bdaada4045b9fa60efd2 /libavformat/oggparsevorbis.c
parent: 595324e143b57a52e2329eb47b84395c70f93087 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index afc3fcb5a6..1ef7365f4a 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
 {
     const uint8_t *p = buf;
     const uint8_t *end = buf + size;
-    unsigned s, n, j;
+    unsigned n, j;
+    int s;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
 
-    if (end - p < s)
+    if (end - p - 4 < s || s < 0)
         return -1;
 
     p += s;
 
     n = bytestream_get_le32(&p);
 
-    while (p < end && n > 0) {
+    while (end - p >= 4 && n > 0) {
         const char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
 
-        if (end - p < s)
+        if (end - p < s || s < 0)
             break;
 
         t = p;
author	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2009-09-24 15:37:09 +0000
committer	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2009-09-24 15:37:09 +0000
commit	98422c44cf86de6da8f73a7bd80284ed165c5a98 (patch)
tree	79cf42abd43abd728d71bdaada4045b9fa60efd2 /libavformat/oggparsevorbis.c
parent	595324e143b57a52e2329eb47b84395c70f93087 (diff)