From 88015f25dc5c29bf2819bfd8f7d2b46ec20dc204 Mon Sep 17 00:00:00 2001
From: Tim Terriberry <tterribe@xiph.org>
Date: Wed, 13 Oct 2010 23:12:19 +0000
Subject: Fixes for r17514.

Actually allocate the right number of comments, and add an extra check against
 i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
 machine... unlikely, but possible).


git-svn-id: https://svn.xiph.org/trunk/Tremor@17515 0101bb08-14d6-0310-b084-bc0e0c8e3800
---
 info.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'info.c')

diff --git a/info.c b/info.c
index f351a48..75e7205 100644
--- a/info.c
+++ b/info.c
@@ -21,6 +21,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 #include <ogg/ogg.h>
 #include "ivorbiscodec.h"
 #include "codec_internal.h"
@@ -194,9 +195,9 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   if(vc->vendor==NULL)goto err_out;
   _v_readstring(opb,vc->vendor,vendorlen);
   i=oggpack_read(opb,32);
-  if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
-  vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
-  vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
+  if(i<0||i>=INT_MAX||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
+  vc->user_comments=(char **)_ogg_calloc(i+1,sizeof(*vc->user_comments));
+  vc->comment_lengths=(int *)_ogg_calloc(i+1, sizeof(*vc->comment_lengths));
   if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out;
   vc->comments=i;
 
-- 
cgit v1.2.1