riff: prevent crash if rounded up tag size exceeds data size

When rounding up `tsize' exceeds the remaining buffer size, `size' underflows and an invalid read past the buffer data follows.
2024-11-28 20:51:13 +00:00 · 2009-06-27 00:50:54 +03:00 · 2009-06-27 00:50:54 +03:00 · 41b7504e9c
commit 41b7504e9c
parent 939baee2bd
1 changed files with 4 additions and 1 deletions
--- a/gst-libs/gst/riff/riff-read.c
+++ b/gst-libs/gst/riff/riff-read.c
@ -728,8 +728,11 @@ gst_riff_parse_info (GstElement * element,
      }
    }

-    if (tsize & 1)
+    if (tsize & 1) {
      tsize++;
+      if (tsize > size)
+        tsize = size;
+    }

    data += tsize;
    size -= tsize;