diff options
author | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2007-09-13 15:18:57 +0000 |
---|---|---|
committer | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2007-09-13 15:18:57 +0000 |
commit | 429b15b71bbe9971a11b02fb8045560c748a243f (patch) | |
tree | 50a5a71906789042b9444c0011c994288a923395 /libmpdemux | |
parent | 5f9fbb7124d926edbb05fdc50a7a2902be94f3b6 (diff) | |
download | mpv-429b15b71bbe9971a11b02fb8045560c748a243f.tar.bz2 mpv-429b15b71bbe9971a11b02fb8045560c748a243f.tar.xz |
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@24447 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux')
-rw-r--r-- | libmpdemux/aviheader.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/libmpdemux/aviheader.c b/libmpdemux/aviheader.c index d47013fb59..14e4bc9e36 100644 --- a/libmpdemux/aviheader.c +++ b/libmpdemux/aviheader.c @@ -233,16 +233,16 @@ while(1){ print_avisuperindex_chunk(s,MSGL_V); - if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ - mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); - s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; - } - // Check and fix this useless crap if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; } + if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ + mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); + s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; + } + s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); |