From 429b15b71bbe9971a11b02fb8045560c748a243f Mon Sep 17 00:00:00 2001 From: reimar Date: Thu, 13 Sep 2007 15:18:57 +0000 Subject: Check wLongsPerEntry before using it. This fixes a potential crash for some values of it. As a side effect it works around broken callocs with an integer overflow vulnerability, but using MPlayer on such systems should never be assumed to be safe! git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@24447 b3059339-0415-0410-9bf9-f77b7e298cf2 --- libmpdemux/aviheader.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'libmpdemux') diff --git a/libmpdemux/aviheader.c b/libmpdemux/aviheader.c index d47013fb59..14e4bc9e36 100644 --- a/libmpdemux/aviheader.c +++ b/libmpdemux/aviheader.c @@ -233,16 +233,16 @@ while(1){ print_avisuperindex_chunk(s,MSGL_V); - if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ - mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); - s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; - } - // Check and fix this useless crap if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; } + if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ + mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); + s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; + } + s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); -- cgit v1.2.3