diff options
author | wm4 <wm4@nowhere> | 2013-04-13 19:17:16 +0200 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2013-04-20 23:28:23 +0200 |
commit | 59eaa8ed7e9bc9649e087e427a4136862bb47e51 (patch) | |
tree | a776dccdd2afadb3cbb8847d3f8015427665f326 /demux/demux_mkv.c | |
parent | 1d6558d9c89cd04ee98dedbd917de770234d0914 (diff) | |
download | mpv-59eaa8ed7e9bc9649e087e427a4136862bb47e51.tar.bz2 mpv-59eaa8ed7e9bc9649e087e427a4136862bb47e51.tar.xz |
demux_mkv: verify laces separately, and in all cases
Diffstat (limited to 'demux/demux_mkv.c')
-rw-r--r-- | demux/demux_mkv.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index aa0ab47fad..785c9eaae3 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -1824,8 +1824,6 @@ static int demux_mkv_read_block_lacing(bstr *buffer, int *laces, goto error; lace_size[i] += t; } while (t == 0xFF); - if (lace_size[i] > buffer->len - total || total > buffer->len) - goto error; total += lace_size[i]; } lace_size[i] = buffer->len - total; @@ -1849,14 +1847,22 @@ static int demux_mkv_read_block_lacing(bstr *buffer, int *laces, if (snum == EBML_INT_INVALID) goto error; lace_size[i] = lace_size[i - 1] + snum; - if (lace_size[i] > buffer->len - total || total > buffer->len) - goto error; total += lace_size[i]; } lace_size[i] = buffer->len - total; break; } } + + total = buffer->len; + for (i = 0; i < *laces; i++) { + if (lace_size[i] > total) + goto error; + total -= lace_size[i]; + } + if (total != 0) + goto error; + return 0; error: |