[SCM] libav/experimental: simply buffer checks in vorbis_comment()

[siretart at users.alioth.debian.org]

The following commit has been merged in the experimental branch:
commit 972c5f9e10107650e9fb3544f22ce1e8370e9d80
Author: Måns Rullgård <mans at mansr.com>
Date:   Sat Oct 13 11:43:03 2007 +0000

    simply buffer checks in vorbis_comment()
    
    Originally committed as revision 10725 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index a89e881..e60efda 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -34,36 +34,32 @@ extern int
 vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
 {
     uint8_t *p = buf;
+    uint8_t *end = buf + size;
     unsigned s, n, j;
 
     if (size < 8) /* must have vendor_length and user_comment_list_length */
         return -1;
 
     s = bytestream_get_le32(&p);
-    size -= 4;
 
-    if (size - 4 < s)
+    if (end - p < s)
         return -1;
 
     p += s;
-    size -= s;
 
     n = bytestream_get_le32(&p);
-    size -= 4;
 
-    while (size >= 4) {
+    while (p < end && n > 0) {
         char *t, *v;
         int tl, vl;
 
         s = bytestream_get_le32(&p);
-        size -= 4;
 
-        if (size < s)
+        if (end - p < s)
             break;
 
         t = p;
         p += s;
-        size -= s;
         n--;
 
         v = memchr(t, '=', s);
@@ -103,8 +99,8 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size)
         }
     }
 
-    if (size > 0)
-        av_log(as, AV_LOG_INFO, "%i bytes of comment header remain\n", size);
+    if (p != end)
+        av_log(as, AV_LOG_INFO, "%ti bytes of comment header remain\n", p-end);
     if (n > 0)
         av_log(as, AV_LOG_INFO,
                "truncated comment header, %i comments not found\n", n);

-- 
Libav/FFmpeg packaging