[xiph-commits] r15731 - branches/theora-thusnelda/lib/dec

tterribe at svn.xiph.org tterribe at svn.xiph.org
Mon Mar 2 17:21:07 PST 2009 

Author: tterribe
Date: 2009-03-02 17:21:06 -0800 (Mon, 02 Mar 2009)
New Revision: 15731

Modified:
   branches/theora-thusnelda/lib/dec/decinfo.c
Log:
Prevent some potential overflows in comment decoding, as well as a potential
 free()int of invalid pointers.
https://bugzilla.mozilla.org/show_bug.cgi?id=480014


Modified: branches/theora-thusnelda/lib/dec/decinfo.c
===================================================================
--- branches/theora-thusnelda/lib/dec/decinfo.c	2009-03-03 00:51:14 UTC (rev 15730)
+++ branches/theora-thusnelda/lib/dec/decinfo.c	2009-03-03 01:21:06 UTC (rev 15731)
@@ -110,14 +110,15 @@
   int  i;
   /*Read the vendor string.*/
   len=oc_unpack_length(_opb);
-  if(len<0||theorapackB_bytes(_opb)+len>_opb->storage)return TH_EBADHEADER;
+  if(len<0||len>_opb->storage-theorapackB_bytes(_opb))return TH_EBADHEADER;
   _tc->vendor=_ogg_malloc((size_t)len+1);
   oc_unpack_octets(_opb,_tc->vendor,len);
   _tc->vendor[len]='\0';
   /*Read the user comments.*/
   _tc->comments=(int)oc_unpack_length(_opb);
   if(_tc->comments<0||_tc->comments>(LONG_MAX>>2)||
-   theorapackB_bytes(_opb)+((long)_tc->comments<<2)>_opb->storage){
+   ((long)_tc->comments<<2)>_opb->storage-theorapackB_bytes(_opb)){
+    _tc->comments=0;
     return TH_EBADHEADER;
   }
   _tc->comment_lengths=(int *)_ogg_malloc(
@@ -126,7 +127,7 @@
    _tc->comments*sizeof(_tc->user_comments[0]));
   for(i=0;i<_tc->comments;i++){
     len=oc_unpack_length(_opb);
-    if(len<0||theorapackB_bytes(_opb)+len>_opb->storage){
+    if(len<0||len>_opb->storage-theorapackB_bytes(_opb)){
       _tc->comments=i;
       return TH_EBADHEADER;
     }
@@ -223,12 +224,10 @@
 int th_decode_headerin(th_info *_info,th_comment *_tc,
  th_setup_info **_setup,ogg_packet *_op){
   oggpack_buffer opb;
-  int            ret;
   if(_op==NULL)return TH_EBADHEADER;
   if(_info==NULL)return TH_EFAULT;
   theorapackB_readinit(&opb,_op->packet,_op->bytes);
-  ret=oc_dec_headerin(&opb,_info,_tc,_setup,_op);
-  return ret;
+  return oc_dec_headerin(&opb,_info,_tc,_setup,_op);
 }
 
 void th_setup_free(th_setup_info *_setup){

More information about the commits mailing list