[xiph-commits] r3883 - libfishsound/trunk/src/libfishsound

[conrad at svn.annodex.net]

Author: conrad
Date: 2009-03-17 00:25:12 -0700 (Tue, 17 Mar 2009)
New Revision: 3883

Modified:
   libfishsound/trunk/src/libfishsound/comments.c
Log:
apply patch by Jim Blandy from Mozilla bug 480521
Avoid overflow in comment lengths

Modified: libfishsound/trunk/src/libfishsound/comments.c
===================================================================
--- libfishsound/trunk/src/libfishsound/comments.c	2009-03-17 07:24:59 UTC (rev 3882)
+++ libfishsound/trunk/src/libfishsound/comments.c	2009-03-17 07:25:12 UTC (rev 3883)
@@ -415,9 +415,10 @@
 
    end = c+length;
    len=readint(c, 0);
+   if (len<0) return -1; 
 
    c+=4;
-   if (c+len>end) return -1;
+   if (len>end-c) return -1;
 
    /* Vendor */
    if (len > 0) {
@@ -435,6 +436,8 @@
 
    if (c+4>end) return -1;
 
+   /* This value gets checked effectively by the 'for' condition
+      and the checks within the loop for c running off the end.  */
    nb_fields=readint(c, 0);
 #ifdef DEBUG
    printf ("fish_sound_comments_decode: %d comments\n", nb_fields);
@@ -449,9 +452,10 @@
 #ifdef DEBUG
       printf ("fish_sound_comments_decode: [%d] len %d\n", i, len);
 #endif
+      if (len<0) return -1;
 
       c+=4;
-      if (c+len>end) return -1;
+      if (len>end-c) return -1;
 
       name = c;
       value = fs_index_len (c, '=', len);