From 4c5e7b27d57dd2be777780e840eef9be63242158 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 13 Sep 2011 15:13:44 -0400 Subject: [PATCH] flacdec: fix buffer size checking in get_metadata_size() Adds an additional check before reading the next block header and avoids a potential integer overflow when checking the metadata size against the remaining buffer size. --- libavcodec/flacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index f6d0abe544..3eb117acf6 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -226,9 +226,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { + if (buf_end - buf < 4) + return 0; ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; - if (buf + metadata_size > buf_end) { + if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ return 0; }