virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00
Code Issues Releases Activity

simply buffer checks in vorbis_comment()

Browse Source 
Originally committed as revision 10725 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Måns Rullgård 2007-10-13 11:43:03 +00:00
parent 0a770ae7b4
commit 972c5f9e10
1 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libavformat/oggparsevorbis.c
View File

@ -34,36 +34,32 @@ extern int
vorbis_comment(AVFormatContext * as, uint8_t *buf, int size) vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
{ {
uint8_t *p = buf; uint8_t *p = buf;
uint8_t *end = buf + size;
unsigned s, n, j; unsigned s, n, j;
if (size < 8) /* must have vendor_length and user_comment_list_length */ if (size < 8) /* must have vendor_length and user_comment_list_length */
return -1; return -1;
s = bytestream_get_le32(&p); s = bytestream_get_le32(&p);
size -= 4;
if (size - 4 < s) if (end - p < s)
return -1; return -1;
p += s; p += s;
size -= s;
n = bytestream_get_le32(&p); n = bytestream_get_le32(&p);
size -= 4;
while (size >= 4) { while (p < end && n > 0) {
char *t, *v; char *t, *v;
int tl, vl; int tl, vl;
s = bytestream_get_le32(&p); s = bytestream_get_le32(&p);
size -= 4;
if (size < s) if (end - p < s)
break; break;
t = p; t = p;
p += s; p += s;
size -= s;
n--; n--;
v = memchr(t, '=', s); v = memchr(t, '=', s);
@ -103,8 +99,8 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
} }
} }
if (size > 0) if (p != end)
av_log(as, AV_LOG_INFO, "%i bytes of comment header remain\n", size); av_log(as, AV_LOG_INFO, "%ti bytes of comment header remain\n", p-end);
if (n > 0) if (n > 0)
av_log(as, AV_LOG_INFO, av_log(as, AV_LOG_INFO,
"truncated comment header, %i comments not found\n", n); "truncated comment header, %i comments not found\n", n);