X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fxiph.c;h=6554264648912d80d5f6a7c02f1364d11a82c218;hb=bbdfa06d437a1cb8dd18169bc0c3db129aaa25d2;hp=65c9d560375abbf4325f4075e8d036a55f988d8b;hpb=5bb127a98f3d7c8e4f3da4dfa5e8d697d5a2dbdc;p=ffmpeg diff --git a/libavcodec/xiph.c b/libavcodec/xiph.c index 65c9d560375..65542646489 100644 --- a/libavcodec/xiph.c +++ b/libavcodec/xiph.c @@ -24,28 +24,34 @@ int ff_split_xiph_headers(uint8_t *extradata, int extradata_size, int first_header_size, uint8_t *header_start[3], int header_len[3]) { - int i, j; + int i; - if (AV_RB16(extradata) == first_header_size) { + if (extradata_size >= 6 && AV_RB16(extradata) == first_header_size) { + int overall_len = 6; for (i=0; i<3; i++) { header_len[i] = AV_RB16(extradata); extradata += 2; header_start[i] = extradata; extradata += header_len[i]; + if (overall_len > extradata_size - header_len[i]) + return -1; + overall_len += header_len[i]; } - } else if (extradata[0] == 2) { - for (i=0,j=1; i<2; i++,j++) { + } else if (extradata_size >= 3 && extradata_size < INT_MAX - 0x1ff && extradata[0] == 2) { + int overall_len = 3; + extradata++; + for (i=0; i<2; i++, extradata++) { header_len[i] = 0; - for (; j= extradata_size) + header_len[i] += *extradata; + overall_len += *extradata; + if (overall_len > extradata_size) return -1; - - header_len[i] += extradata[j]; } - header_len[2] = extradata_size - header_len[0] - header_len[1] - j; - extradata += j; + header_len[2] = extradata_size - overall_len; header_start[0] = extradata; header_start[1] = header_start[0] + header_len[0]; header_start[2] = header_start[1] + header_len[1];