shithub: opus

Info  •  Files  •  Log  •  Branches

Fix from speex svn 14504.

--- a/tools/celtdec.c

+++ b/tools/celtdec.c

@@ -104,7 +104,7 @@

    end = c+length;

    len=readint(c, 0);

    c+=4;

-   if (c+len>end)

+   if (len < 0 || c+len>end)

    {

       fprintf (stderr, "Invalid/corrupted comments\n");

       return;

@@ -128,7 +128,7 @@

       }

       len=readint(c, 0);

       c+=4;

-      if (c+len>end)

+      if (len < 0 || c+len>end)

       {

          fprintf (stderr, "Invalid/corrupted comments\n");

          return;