[xiph-commits] r16217 - trunk/vorbis/lib

Tue Jul 7 15:44:49 PDT 2009

Author: xiphmont
Date: 2009-07-07 15:44:49 -0700 (Tue, 07 Jul 2009)
New Revision: 16217

Modified:
   trunk/vorbis/lib/info.c
Log:
Correct a potential* comment length sanity check overflow.

*as defined by the Derf Convention.


Modified: trunk/vorbis/lib/info.c
===================================================================

--- trunk/vorbis/lib/info.c	2009-07-07 22:41:22 UTC (rev 16216)
+++ trunk/vorbis/lib/info.c	2009-07-07 22:44:49 UTC (rev 16217)
@@ -241,7 +241,7 @@
   int i;
   int vendorlen=oggpack_read(opb,32);
   if(vendorlen<0)goto err_out;
-  if(vendorlen+8>opb->storage)goto err_out;
+  if(vendorlen>opb->storage-8)goto err_out;
   vc->vendor=_ogg_calloc(vendorlen+1,1);
   _v_readstring(opb,vc->vendor,vendorlen);
   i=oggpack_read(opb,32);
@@ -254,7 +254,7 @@
   for(i=0;i<vc->comments;i++){
     int len=oggpack_read(opb,32);
     if(len<0)goto err_out;
-    if(len+oggpack_bytes(opb)>opb->storage)goto err_out;
+    if(len>opb->storage-oggpack_bytes(opb))goto err_out;
     vc->comment_lengths[i]=len;
     vc->user_comments[i]=_ogg_calloc(len+1,1);
     _v_readstring(opb,vc->user_comments[i],len);

