From 98422c44cf86de6da8f73a7bd80284ed165c5a98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Thu, 24 Sep 2009 15:37:09 +0000
Subject: [PATCH] Fix possible buffer over-read in vorbis_comment, fix it
 double to be sure. First, make s signed, so that comparisons against end - p
 will not be made as unsigned, making the check incorrectly pass if p is
 beyond end. Also ensure that p will never be > end, so the code is correct
 also if buf is not padded.

Originally committed as revision 20014 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/oggparsevorbis.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index afc3fcb5a67..1ef7365f4a3 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -50,27 +50,28 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
 {
     const uint8_t *p = buf;
     const uint8_t *end = buf + size;
-    unsigned s, n, j;
+    unsigned n, j;
+    int s;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
 
-    if (end - p < s)
+    if (end - p - 4 < s || s < 0)
         return -1;
 
     p += s;
 
     n = bytestream_get_le32(&p);
 
-    while (p < end && n > 0) {
+    while (end - p >= 4 && n > 0) {
         const char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
 
-        if (end - p < s)
+        if (end - p < s || s < 0)
             break;
 
         t = p;
-- 
GitLab