[xiph-commits] r3882 - liboggz/trunk/src/liboggz

[conrad at svn.annodex.net]

Author: conrad
Date: 2009-03-17 00:24:59 -0700 (Tue, 17 Mar 2009)
New Revision: 3882

Modified:
   liboggz/trunk/src/liboggz/oggz_comments.c
Log:
Apply patch by Jim Blandy from Mozilla bug 480521
Avoid overflow in comment lengths

Modified: liboggz/trunk/src/liboggz/oggz_comments.c
===================================================================
--- liboggz/trunk/src/liboggz/oggz_comments.c	2009-03-17 07:05:47 UTC (rev 3881)
+++ liboggz/trunk/src/liboggz/oggz_comments.c	2009-03-17 07:24:59 UTC (rev 3882)
@@ -537,9 +537,10 @@
 
    end = c+length;
    len=readint(c, 0);
+   if (len<0) return -1;
 
    c+=4;
-   if (c+len>end) return -1;
+   if (len>end-c) return -1;
 
    stream = oggz_get_stream (oggz, serialno);
    if (stream == NULL) return OGGZ_ERR_BAD_SERIALNO;
@@ -556,15 +557,18 @@
 
    if (c+4>end) return -1;
 
+   /* This value gets checked effectively by the 'for' condition
+      and the checks within the loop for c running off the end.  */
    nb_fields=readint(c, 0);
    c+=4;
    for (i=0;i<nb_fields;i++) {
       if (c+4>end) return -1;
 
       len=readint(c, 0);
+      if (len<0) return -1;
 
       c+=4;
-      if (c+len>end) return -1;
+      if (len>end-c) return -1;
 
       name = c;
       value = oggz_index_len (c, '=', len);