# HG changeset patch
# User reimar
# Date 1278780180 0
# Node ID 2b455d7357cccaf546f5637c2711b4857bd4271b
# Parent  31eb981263921068f690579b05fee96bbfdc627a
Check packet size before memmove to avoid crashes e.g. if we recognized the
wrong type and subtracted more header bytes than there are overall bytes.

diff -r 31eb98126392 -r 2b455d7357cc libmpdemux/demux_ts.c
--- a/libmpdemux/demux_ts.c	Sat Jul 10 16:30:59 2010 +0000
+++ b/libmpdemux/demux_ts.c	Sat Jul 10 16:43:00 2010 +0000
@@ -3152,6 +3152,10 @@
 
 				demuxer->filepos = stream_tell(demuxer->stream) - es->size;
 
+				if(es->size < 0 || es->size > buf_size) {
+					mp_msg(MSGT_DEMUX, MSGL_ERR, "Broken ES packet size\n");
+					es->size = 0;
+				}
 				memmove(p, es->start, es->size);
 				*dp_offset += es->size;
 				(*dp)->flags = 0;