diff options
| author | Nedeljko Babic <nbabic@mips.com> | 2012-03-29 14:17:42 +0200 |
|---|---|---|
| committer | Nedeljko Babic <nbabic@mips.com> | 2012-04-03 15:38:03 +0200 |
| commit | 0bcded806a0327c86d9246703724b45037d1bbaa (patch) | |
| tree | 23e6c1ab6ea0d6e78fc3175d9e53abd1e38924dc | |
| parent | 4ade16cbfab82e99e1950b599c194d8c5ccac32b (diff) | |
| download | tremor-tremolo_mips.tar.gz | |
Forward parts of port r14502, r16217, and r16222.tremolo_mips
Correct a potential comment length sanity check overflow.
Commit additional hardening to comment packet decode.
Also add allocation checks, since these can still run us out of address space
if someone actually sends a GB or two of comment data.
[Import parts of changes from Tremor (69dfba9 2010-10-13)]
| -rw-r--r-- | info.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -200,17 +200,23 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){ int vendorlen=oggpack_read(opb,32); if(vendorlen<0)goto err_out; vc->vendor=(char *)_ogg_calloc(vendorlen+1,1); + if(vc->vendor==NULL)goto err_out; _v_readstring(opb,vc->vendor,vendorlen); vc->comments=oggpack_read(opb,32); if(vc->comments<0)goto err_out; vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments)); vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths)); + if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out; for(i=0;i<vc->comments;i++){ int len=oggpack_read(opb,32); if(len<0)goto err_out; vc->comment_lengths[i]=len; vc->user_comments[i]=(char *)_ogg_calloc(len+1,1); + if(vc->user_comments[i]==NULL){ + vc->comments=i; + goto err_out; + } _v_readstring(opb,vc->user_comments[i],len); } if(oggpack_read(opb,1)!=1)goto err_out; /* EOP check */ |