[MPlayer-cvslog] r24447 - trunk/libmpdemux/aviheader.c

[reimar]

Author: reimar
Date: Thu Sep 13 17:18:57 2007
New Revision: 24447

Log:
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!


Modified:
   trunk/libmpdemux/aviheader.c

Modified: trunk/libmpdemux/aviheader.c
==============================================================================
--- trunk/libmpdemux/aviheader.c	(original)
+++ trunk/libmpdemux/aviheader.c	Thu Sep 13 17:18:57 2007
@@ -233,16 +233,16 @@ while(1){
 	  
       print_avisuperindex_chunk(s,MSGL_V);
       
-      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
-        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
-        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
-      }
-
       // Check and fix this useless crap
       if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
           mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
           s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
       }
+      if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
+        mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
+        s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
+      }
+
       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));