mirror of
https://github.com/mpv-player/mpv
synced 2025-02-28 11:20:56 +00:00
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it. As a side effect it works around broken callocs with an integer overflow vulnerability, but using MPlayer on such systems should never be assumed to be safe! git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@24447 b3059339-0415-0410-9bf9-f77b7e298cf2
This commit is contained in:
parent
5f9fbb7124
commit
429b15b71b
@ -233,16 +233,16 @@ while(1){
|
||||
|
||||
print_avisuperindex_chunk(s,MSGL_V);
|
||||
|
||||
if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
|
||||
mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
|
||||
s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
|
||||
}
|
||||
|
||||
// Check and fix this useless crap
|
||||
if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
|
||||
mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
|
||||
s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
|
||||
}
|
||||
if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
|
||||
mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
|
||||
s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
|
||||
}
|
||||
|
||||
s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
|
||||
s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user