From c28778fb5a01b9b70a66e460bef5de82a36c2b96 Mon Sep 17 00:00:00 2001
From: Nils Wallménius <nils@rockbox.org>
Date: Mon, 6 Dec 2010 17:15:00 +0000
Subject: libtremor: merge part of upstream revision 17514 adding some limit
 checking for allocations when unpacking comments.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28748 a1c6a512-1295-4272-9138-f99709370657
---
 apps/codecs/libtremor/info.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'apps/codecs/libtremor')

diff --git a/apps/codecs/libtremor/info.c b/apps/codecs/libtremor/info.c
index f3ac5f87f6..62a31d510e 100644
--- a/apps/codecs/libtremor/info.c
+++ b/apps/codecs/libtremor/info.c
@@ -140,11 +140,15 @@ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){
 }
 
 static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
-  int vendorlen=oggpack_read(opb,32);
+  int vendorlen;
+  vendorlen=oggpack_read(opb,32);
   if(vendorlen<0)goto err_out;
+  if(vendorlen>opb->storage-oggpack_bytes(opb))goto err_out;
   vc->vendor=(char *)_ogg_calloc(vendorlen+1,1);
+  if(vc->vendor==NULL)goto err_out;
   _v_readstring(opb,vc->vendor,vendorlen);
-  vc->comments=0; 
+  vc->comments=0;
+  /* ROCKBOX: the meat of this function was deleted as we don't need it */
   return(0);
  err_out:
   vorbis_comment_clear(vc);
-- 
cgit v1.2.3