diff options
author | Tim Terriberry <tterribe@xiph.org> | 2010-10-13 23:12:19 +0000 |
---|---|---|
committer | Tim Terriberry <tterribe@xiph.org> | 2010-10-13 23:12:19 +0000 |
commit | 88015f25dc5c29bf2819bfd8f7d2b46ec20dc204 (patch) | |
tree | 2d26702b018fd7cc556a718eaf9e24a976ae581b /info.c | |
parent | 69dfba92c6a0b872273ae79a832d89d6e83a7363 (diff) | |
download | tremor-88015f25dc5c29bf2819bfd8f7d2b46ec20dc204.tar.gz |
Fixes for r17514.
Actually allocate the right number of comments, and add an extra check against
i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
machine... unlikely, but possible).
git-svn-id: https://svn.xiph.org/trunk/Tremor@17515 0101bb08-14d6-0310-b084-bc0e0c8e3800
Diffstat (limited to 'info.c')
-rw-r--r-- | info.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -21,6 +21,7 @@ #include <stdlib.h> #include <string.h> #include <ctype.h> +#include <limits.h> #include <ogg/ogg.h> #include "ivorbiscodec.h" #include "codec_internal.h" @@ -194,9 +195,9 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){ if(vc->vendor==NULL)goto err_out; _v_readstring(opb,vc->vendor,vendorlen); i=oggpack_read(opb,32); - if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out; - vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments)); - vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths)); + if(i<0||i>=INT_MAX||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out; + vc->user_comments=(char **)_ogg_calloc(i+1,sizeof(*vc->user_comments)); + vc->comment_lengths=(int *)_ogg_calloc(i+1, sizeof(*vc->comment_lengths)); if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out; vc->comments=i; |