[xiph-commits] r17517 - trunk/Tremor
tterribe at svn.xiph.org
tterribe at svn.xiph.org
Wed Oct 13 16:18:23 PDT 2010
Author: tterribe
Date: 2010-10-13 16:18:23 -0700 (Wed, 13 Oct 2010)
New Revision: 17517
Modified:
trunk/Tremor/info.c
Log:
Fixes for r17514 (take two).
Actually allocate the right number of comments, and add an extra check against
i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
machine... unlikely, but possible).
Modified: trunk/Tremor/info.c
===================================================================
--- trunk/Tremor/info.c 2010-10-13 23:17:20 UTC (rev 17516)
+++ trunk/Tremor/info.c 2010-10-13 23:18:23 UTC (rev 17517)
@@ -21,6 +21,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include <ogg/ogg.h>
#include "ivorbiscodec.h"
#include "codec_internal.h"
@@ -194,9 +195,9 @@
if(vc->vendor==NULL)goto err_out;
_v_readstring(opb,vc->vendor,vendorlen);
i=oggpack_read(opb,32);
- if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
- vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
- vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
+ if(i<0||i>=INT_MAX||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
+ vc->user_comments=(char **)_ogg_calloc(i+1,sizeof(*vc->user_comments));
+ vc->comment_lengths=(int *)_ogg_calloc(i+1, sizeof(*vc->comment_lengths));
if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out;
vc->comments=i;
More information about the commits
mailing list