diff options
author | Tim Terriberry <tterribe@xiph.org> | 2010-10-13 23:18:23 +0000 |
---|---|---|
committer | Tim Terriberry <tterribe@xiph.org> | 2010-10-13 23:18:23 +0000 |
commit | 6cd7817e54df6984cba618d1a4e2d9f48c07d917 (patch) | |
tree | 751cda16500370c3eec666f03d8b63090494feba | |
parent | 055a48d42a5779c15345713c09d3631d39698515 (diff) | |
download | tremor-6cd7817e54df6984cba618d1a4e2d9f48c07d917.tar.gz |
Fixes for r17514 (take two).
Actually allocate the right number of comments, and add an extra check against
i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
machine... unlikely, but possible).
git-svn-id: https://svn.xiph.org/trunk/Tremor@17517 0101bb08-14d6-0310-b084-bc0e0c8e3800
-rw-r--r-- | info.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -21,6 +21,7 @@ #include <stdlib.h> #include <string.h> #include <ctype.h> +#include <limits.h> #include <ogg/ogg.h> #include "ivorbiscodec.h" #include "codec_internal.h" @@ -194,9 +195,9 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){ if(vc->vendor==NULL)goto err_out; _v_readstring(opb,vc->vendor,vendorlen); i=oggpack_read(opb,32); - if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out; - vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments)); - vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths)); + if(i<0||i>=INT_MAX||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out; + vc->user_comments=(char **)_ogg_calloc(i+1,sizeof(*vc->user_comments)); + vc->comment_lengths=(int *)_ogg_calloc(i+1, sizeof(*vc->comment_lengths)); if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out; vc->comments=i; |