From ef84190a1ab777c35ea9fec64c3ab6ce641b79e5 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Tue, 9 Feb 2010 18:51:11 +0000
Subject: Fix possible buffer over-read in vorbis_comment, fix it double to be
 sure. First, make s signed, so that comparisons against end - p will not be
 made as unsigned, making the check incorrectly pass if p is beyond end. Also
 ensure that p will never be > end, so the code is correct also if buf is not
 padded.

backported r20014 by reimar


Originally committed as revision 21711 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
---
 libavformat/oggparsevorbis.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'libavformat')

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index 7c97807c01..82029daf93 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -35,27 +35,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
 {
     const uint8_t *p = buf;
     const uint8_t *end = buf + size;
-    unsigned s, n, j;
+    unsigned n, j;
+    int s;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
 
-    if (end - p < s)
+    if (end - p - 4 < s || s < 0)
         return -1;
 
     p += s;
 
     n = bytestream_get_le32(&p);
 
-    while (p < end && n > 0) {
+    while (end - p >= 4 && n > 0) {
         const char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
 
-        if (end - p < s)
+        if (end - p < s || s < 0)
             break;
 
         t = p;
-- 
cgit v1.2.3