diff options
author | Uoti Urpala <uau@glyph.nonexistent.invalid> | 2010-03-10 02:14:30 +0200 |
---|---|---|
committer | Uoti Urpala <uau@glyph.nonexistent.invalid> | 2010-03-10 02:35:02 +0200 |
commit | bc1d0ca37d9bdfd69a945043650e0246ffeb5f94 (patch) | |
tree | 8269c9cbc1df72afb5715b77669698a0781f6250 /playtreeparser.c | |
parent | f7cc4152f7c55808c5dd6bbd49c216c9345eb686 (diff) | |
parent | e9a5e7f667d1b0c0dec0053ad9ec6f7bc3162b60 (diff) | |
download | mpv-bc1d0ca37d9bdfd69a945043650e0246ffeb5f94.tar.bz2 mpv-bc1d0ca37d9bdfd69a945043650e0246ffeb5f94.tar.xz |
Merge svn changes up to r30798
Diffstat (limited to 'playtreeparser.c')
-rw-r--r-- | playtreeparser.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/playtreeparser.c b/playtreeparser.c index 5c786d06b7..1b8d91f944 100644 --- a/playtreeparser.c +++ b/playtreeparser.c @@ -30,6 +30,7 @@ #include <fcntl.h> #include <unistd.h> #include <ctype.h> +#include <limits.h> #include "asxparser.h" #include "m_config.h" #include "playtree.h" @@ -80,8 +81,15 @@ play_tree_parser_get_line(play_tree_parser_t* p) { while(1) { if(resize) { + char *tmp; r = p->iter - p->buffer; - p->buffer = realloc(p->buffer, p->buffer_size + BUF_STEP); + end = p->buffer + p->buffer_end; + if (p->buffer_size > INT_MAX - BUF_STEP) + break; + tmp = realloc(p->buffer, p->buffer_size + BUF_STEP); + if (!tmp) + break; + p->buffer = tmp; p->iter = p->buffer + r; p->buffer_size += BUF_STEP; resize = 0; @@ -238,21 +246,28 @@ static int pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) { int num,max_entry = (*_max_entry); pls_entry_t* e = (*_e); + int limit = INT_MAX / sizeof(*e); char* v; v = pls_entry_get_value(line); if(!v) { mp_msg(MSGT_PLAYTREE,MSGL_ERR,"No value in entry %s\n",line); - return 0; + return -1; } num = atoi(line); - if(num < 0) { + if(num <= 0 || num > limit) { + if (max_entry >= limit) { + mp_msg(MSGT_PLAYTREE, MSGL_WARN, "Too many index entries\n"); + return -1; + } num = max_entry+1; - mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No entry index in entry %s\nAssuming %d\n",line,num); + mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No or invalid entry index in entry %s\nAssuming %d\n",line,num); } if(num > max_entry) { e = realloc(e, num * sizeof(pls_entry_t)); + if (!e) + return -1; memset(&e[max_entry],0,(num-max_entry)*sizeof(pls_entry_t)); max_entry = num; } |