From b655cfefafd565590bfc5976b9ce8dd141b3c41c Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Wed, 14 Nov 2012 03:25:41 -0500
Subject: apetag: fix error handling in ff_ape_parse_tag()

The following error handling is broken due to signedness.

    int file_size;
    uint32_t tag_bytes;
    int64_t tag_start;
    ...
    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
    if (tag_start < 0) { ... }

Note that tag_bytes is unsigned, which makes the right-hand side of
`tag_start = ...' unsigned, too.  The 32-bit unsigned value is then
zero-extended to 64 bits.  Therefore, tag_start must be non-negative,
and the check (tag_start < 0) is always false, which breaks the error
handling.  This patch fixes the check.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/apetag.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavformat/apetag.c')

diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index 28a3ff7753..0d2cb973fb 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -144,11 +144,11 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
         return 0;
     }
 
-    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
-    if (tag_start < 0) {
+    if (tag_bytes > file_size - APE_TAG_FOOTER_BYTES) {
         av_log(s, AV_LOG_ERROR, "Invalid tag size %u.\n", tag_bytes);
         return 0;
     }
+    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
 
     fields = avio_rl32(pb);    /* number of fields */
     if (fields > 65536) {
-- 
cgit v1.2.3