[xiph-commits] r3882 - liboggz/trunk/src/liboggz
conrad at svn.annodex.net
conrad at svn.annodex.net
Tue Mar 17 00:24:59 PDT 2009
Author: conrad
Date: 2009-03-17 00:24:59 -0700 (Tue, 17 Mar 2009)
New Revision: 3882
Modified:
liboggz/trunk/src/liboggz/oggz_comments.c
Log:
Apply patch by Jim Blandy from Mozilla bug 480521
Avoid overflow in comment lengths
Modified: liboggz/trunk/src/liboggz/oggz_comments.c
===================================================================
--- liboggz/trunk/src/liboggz/oggz_comments.c 2009-03-17 07:05:47 UTC (rev 3881)
+++ liboggz/trunk/src/liboggz/oggz_comments.c 2009-03-17 07:24:59 UTC (rev 3882)
@@ -537,9 +537,10 @@
end = c+length;
len=readint(c, 0);
+ if (len<0) return -1;
c+=4;
- if (c+len>end) return -1;
+ if (len>end-c) return -1;
stream = oggz_get_stream (oggz, serialno);
if (stream == NULL) return OGGZ_ERR_BAD_SERIALNO;
@@ -556,15 +557,18 @@
if (c+4>end) return -1;
+ /* This value gets checked effectively by the 'for' condition
+ and the checks within the loop for c running off the end. */
nb_fields=readint(c, 0);
c+=4;
for (i=0;i<nb_fields;i++) {
if (c+4>end) return -1;
len=readint(c, 0);
+ if (len<0) return -1;
c+=4;
- if (c+len>end) return -1;
+ if (len>end-c) return -1;
name = c;
value = oggz_index_len (c, '=', len);
More information about the commits
mailing list