[xiph-commits] r17514 - trunk/Tremor

tterribe at svn.xiph.org tterribe at svn.xiph.org
Wed Oct 13 13:58:52 PDT 2010 

Author: tterribe
Date: 2010-10-13 13:58:52 -0700 (Wed, 13 Oct 2010)
New Revision: 17514

Modified:
   trunk/Tremor/info.c
Log:
Forward port r14502, r16217, and parts of r16222.

Don't try to read past the end of the comment packet if the string lengths are
 corrupt.
Correct a potential comment length sanity check overflow.
Commit additional hardening to comment packet decode.

Also add allocation checks, since these can still run us out of address space
 if someone actually sends a GB or two of comment data.


Modified: trunk/Tremor/info.c
===================================================================
--- trunk/Tremor/info.c	2010-10-13 20:22:50 UTC (rev 17513)
+++ trunk/Tremor/info.c	2010-10-13 20:58:52 UTC (rev 17514)
@@ -186,22 +186,31 @@
 
 static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   int i;
-  int vendorlen=oggpack_read(opb,32);
+  int vendorlen;
+  vendorlen=oggpack_read(opb,32);
   if(vendorlen<0)goto err_out;
+  if(vendorlen>opb->storage-oggpack_bytes(opb))goto err_out;
   vc->vendor=(char *)_ogg_calloc(vendorlen+1,1);
+  if(vc->vendor==NULL)goto err_out;
   _v_readstring(opb,vc->vendor,vendorlen);
-  vc->comments=oggpack_read(opb,32);
-  if(vc->comments<0)goto err_out;
+  i=oggpack_read(opb,32);
+  if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
   vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
   vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
-	    
+  if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out;
+  vc->comments=i;
+
   for(i=0;i<vc->comments;i++){
     int len=oggpack_read(opb,32);
-    if(len<0)goto err_out;
-	vc->comment_lengths[i]=len;
+    if(len<0||len>opb->storage-oggpack_bytes(opb))goto err_out;
+    vc->comment_lengths[i]=len;
     vc->user_comments[i]=(char *)_ogg_calloc(len+1,1);
+    if(vc->user_comments[i]==NULL){
+      vc->comments=i;
+      goto err_out;
+    }
     _v_readstring(opb,vc->user_comments[i],len);
-  }	  
+  }
   if(oggpack_read(opb,1)!=1)goto err_out; /* EOP check */
 
   return(0);

More information about the commits mailing list