X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Flibvorbisdec.c;h=3c53b8fdaf243f16de6c13dddaad05c0925dd58c;hb=6268034b5d03580f86e9ff5a1879ebd56f35db40;hp=ecf690a5530128eef311ff8870b94ab689c40bcc;hpb=14fe81b3a88dfe4dbac12e8715f9a3f05b5ef1bf;p=ffmpeg diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index ecf690a5530..3c53b8fdaf2 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -49,29 +49,40 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { vorbis_comment_init(&context->vc) ; if(p[0] == 0 && p[1] == 30) { + int sizesum = 0; for(i = 0; i < 3; i++){ hsizes[i] = bytestream_get_be16((const uint8_t **)&p); + sizesum += 2 + hsizes[i]; + if (sizesum > avccontext->extradata_size) { + av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n"); + ret = AVERROR_INVALIDDATA; + goto error; + } + headers[i] = p; p += hsizes[i]; } } else if(*p == 2) { unsigned int offset = 1; + unsigned int sizesum = 1; p++; for(i=0; i<2; i++) { hsizes[i] = 0; - while((*p == 0xFF) && (offset < avccontext->extradata_size)) { + while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) { hsizes[i] += 0xFF; offset++; + sizesum += 1 + 0xFF; p++; } - if(offset >= avccontext->extradata_size - 1) { + hsizes[i] += *p; + offset++; + sizesum += 1 + *p; + if(sizesum > avccontext->extradata_size) { av_log(avccontext, AV_LOG_ERROR, "vorbis header sizes damaged\n"); ret = AVERROR_INVALIDDATA; goto error; } - hsizes[i] += *p; - offset++; p++; } hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset;