--- libavformat/oggparsevorbis.c.orig 2011-03-05 00:24:29.000000000 +0100
+++ libavformat/oggparsevorbis.c 2011-03-05 00:26:30.000000000 +0100
@@ -35,27 +35,28 @@ vorbis_comment(AVFormatContext * as, uin
{
const uint8_t *p = buf;
const uint8_t *end = buf + size;
- unsigned s, n, j;
+ unsigned n, j;
+ int s;
if (size < 8) /* must have vendor_length and user_comment_list_length */
return -1;
s = bytestream_get_le32(&p);
- if (end - p < s)
+ if (end - p - 4 < s || s < 0)
return -1;
p += s;
n = bytestream_get_le32(&p);
- while (p < end && n > 0) {
+ while (end - p >= 4 && n > 0) {
const char *t, *v;
int tl, vl;
s = bytestream_get_le32(&p);
- if (end - p < s)
+ if (end - p < s || s < 0)
break;
t = p;
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
b850e5c583858315953a44a2c2fc9494
>
files
>
28
