Commit 0bcded80 authored by Nedeljko Babic's avatar Nedeljko Babic

Forward parts of port r14502, r16217, and r16222.

Correct a potential comment length sanity check overflow.
Commit additional hardening to comment packet decode.

Also add allocation checks, since these can still run us out of address space
 if someone actually sends a GB or two of comment data.

[Import parts of changes from Tremor (69dfba92 2010-10-13)]
parent 4ade16cb
......@@ -200,17 +200,23 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
int vendorlen=oggpack_read(opb,32);
if(vendorlen<0)goto err_out;
vc->vendor=(char *)_ogg_calloc(vendorlen+1,1);
if(vc->vendor==NULL)goto err_out;
_v_readstring(opb,vc->vendor,vendorlen);
vc->comments=oggpack_read(opb,32);
if(vc->comments<0)goto err_out;
vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out;
for(i=0;i<vc->comments;i++){
int len=oggpack_read(opb,32);
if(len<0)goto err_out;
vc->comment_lengths[i]=len;
vc->user_comments[i]=(char *)_ogg_calloc(len+1,1);
if(vc->user_comments[i]==NULL){
vc->comments=i;
goto err_out;
}
_v_readstring(opb,vc->user_comments[i],len);
}
if(oggpack_read(opb,1)!=1)goto err_out; /* EOP check */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment