ref: 9cdde2e9f347629ab8c90ec38311d9318217ada6
parent: 5fcf9ef3ee6be2fb7a12ea66fa228c76f193c590
author: Gregory Maxwell <greg@xiph.org>
date: Thu Nov 17 18:59:20 EST 2011
Opusdec print_comments hardening.
--- a/src/opusdec.c
+++ b/src/opusdec.c
@@ -187,24 +187,22 @@
{char *c=comments;
int len, i, nb_fields;
- char *end;
- if (strncmp(c, "OpusTags", 8) != 0)
+ if (length<(8+4+4))
{fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
- c += 8;
- fprintf(stderr, "Encoded with ");
- if (length<8)
+ if (strncmp(c, "OpusTags", 8) != 0)
{fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
- end = c+length;
+ c += 8;
+ fprintf(stderr, "Encoded with ");
len=readint(c, 0);
c+=4;
- if (len < 0 || c+len>end)
+ if (len < 0 || len>(length-16))
{fprintf (stderr, "Invalid/corrupted comments\n");
return;
@@ -212,16 +210,18 @@
fwrite(c, 1, len, stderr);
c+=len;
fprintf (stderr, "\n");
- if (c+4>end)
+ /*The -16 check above makes sure we can read this.*/
+ nb_fields=readint(c, 0);
+ c+=4;
+ length-=16+len;
+ if (nb_fields < 0 || nb_fields>(length>>2))
{fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
- nb_fields=readint(c, 0);
- c+=4;
for (i=0;i<nb_fields;i++)
{- if (c+4>end)
+ if (length<4)
{fprintf (stderr, "Invalid/corrupted comments\n");
return;
@@ -228,7 +228,8 @@
}
len=readint(c, 0);
c+=4;
- if (len < 0 || c+len>end)
+ length-=4;
+ if (len < 0 || len>length)
{fprintf (stderr, "Invalid/corrupted comments\n");
return;
@@ -235,6 +236,7 @@
}
fwrite(c, 1, len, stderr);
c+=len;
+ length-=len;
fprintf (stderr, "\n");
}
}