From 06a273f4917e5b7460985a33a96276b0f84dc8b1 Mon Sep 17 00:00:00 2001 From: Petri Hintukainen Date: Tue, 4 Oct 2011 11:14:55 +0300 Subject: demux_real: fixed buffer size check Check used (NULL) target pointer instead of length and would be always false --- src/demuxers/demux_real.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c index 340083221..19b7794ef 100644 --- a/src/demuxers/demux_real.c +++ b/src/demuxers/demux_real.c @@ -303,7 +303,7 @@ static mdpr_t *real_parse_mdpr(const char *data, const unsigned int size) mdpr->mime_type[(int)mdpr->mime_type_size]=0; mdpr->type_specific_len=_X_BE_32(&data[34+mdpr->stream_name_size+mdpr->mime_type_size]); - if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data) + if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_len) goto fail; mdpr->type_specific_data=malloc(mdpr->type_specific_len); if (!mdpr->type_specific_data) -- cgit v1.2.3