From bce49846158d839f0fe5185d9956edd1492f9fc3 Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Wed, 31 Dec 2008 22:36:35 +0100
Subject: check that track's codec_private_len fits in signed variables when
 decoding matroska while codec_private_len is unsigned, the size is later used
 to calculate the signed xine_bmiheader.size

---
 src/demuxers/demux_matroska.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/demuxers/demux_matroska.c b/src/demuxers/demux_matroska.c
index 0a96295ec..12cd282dd 100644
--- a/src/demuxers/demux_matroska.c
+++ b/src/demuxers/demux_matroska.c
@@ -1302,6 +1302,9 @@ static int parse_track_entry(demux_matroska_t *this, matroska_track_t *track) {
       xine_bmiheader *bih;
       
       lprintf("MATROSKA_CODEC_ID_V_MPEG4_*\n");
+      if (track->codec_private_len > 0x7fffffff - sizeof(xine_bmiheader))
+        track->codec_private_len = 0x7fffffff - sizeof(xine_bmiheader);
+      
       /* create a bitmap info header struct for MPEG 4 */
       bih = malloc(sizeof(xine_bmiheader) + track->codec_private_len);
       bih->biSize = sizeof(xine_bmiheader) + track->codec_private_len;
@@ -1323,6 +1326,9 @@ static int parse_track_entry(demux_matroska_t *this, matroska_track_t *track) {
       xine_bmiheader *bih;
       
       lprintf("MATROSKA_CODEC_ID_V_MPEG4_AVC\n");
+      if (track->codec_private_len > 0x7fffffff - sizeof(xine_bmiheader))
+        track->codec_private_len = 0x7fffffff - sizeof(xine_bmiheader);
+      
       /* create a bitmap info header struct for h264 */
       bih = malloc(sizeof(xine_bmiheader) + track->codec_private_len);
       bih->biSize = sizeof(xine_bmiheader) + track->codec_private_len;
-- 
cgit v1.2.3