RepoMirrors
/
mpv
mirror of https://github.com/mpv-player/mpv
1
0
Fork 0
Code Issues Releases Wiki Activity

Check wLongsPerEntry before using it. 

This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!


git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@24447 b3059339-0415-0410-9bf9-f77b7e298cf2
This commit is contained in:
reimar 2007-09-13 15:18:57 +00:00
parent 5f9fbb7124
commit 429b15b71b
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libmpdemux/aviheader.c
View File

@ -233,16 +233,16 @@ while(1){
print_avisuperindex_chunk(s,MSGL_V);
if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
}
// Check and fix this useless crap
if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
}
if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
}
s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));