# HG changeset patch
# User conrad
# Date 1267928790 0
# Node ID 87a2727fd609f14c6f1cae78894c8f3e536802be
# Parent  058a0e362dbe47e0a24fcc38033c9f3c23646d3a
matroskadec: Fix a buffer overread

diff -r 058a0e362dbe -r 87a2727fd609 matroskadec.c
--- a/matroskadec.c	Sat Mar 06 23:19:05 2010 +0000
+++ b/matroskadec.c	Sun Mar 07 02:26:30 2010 +0000
@@ -1676,6 +1676,11 @@
                 int offset = 0, pkt_size = lace_size[n];
                 uint8_t *pkt_data = data;
 
+                if (lace_size[n] > size) {
+                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
+                    break;
+                }
+
                 if (encodings && encodings->scope & 1) {
                     offset = matroska_decode_buffer(&pkt_data,&pkt_size, track);
                     if (offset < 0)
@@ -1727,6 +1732,7 @@
             if (timecode != AV_NOPTS_VALUE)
                 timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
             data += lace_size[n];
+            size -= lace_size[n];
         }
     }