# HG changeset patch
# User reimar
# Date 1162127846 0
# Node ID 30fce0f93ad18e6e84a4009890fe00e3e59f1237
# Parent  e8d37db54bf5363bc4efef7a8d305e40f5a39bb4
Make sure we do not read beyond end of subtitle packet

diff -r e8d37db54bf5 -r 30fce0f93ad1 libmpdemux/demux_ogg.c
--- a/libmpdemux/demux_ogg.c	Sun Oct 29 12:44:15 2006 +0000
+++ b/libmpdemux/demux_ogg.c	Sun Oct 29 13:17:26 2006 +0000
@@ -231,6 +231,8 @@
   int ignoring = 0;
   char *packet = pack->packet;
 
+  if (pack->bytes < 4)
+    return;
   mp_msg(MSGT_DEMUX,MSGL_DBG2,"\ndemux_ogg_add_sub %02X %02X %02X '%s'\n",
       (unsigned char)packet[0],
       (unsigned char)packet[1],
@@ -244,6 +246,8 @@
     int16_t hdrlen = (*packet & PACKET_LEN_BITS01)>>6, i;
     hdrlen |= (*packet & PACKET_LEN_BITS2) <<1;
     lcv = 1 + hdrlen;
+    if (pack->bytes < lcv)
+      return;
     for (i = hdrlen; i > 0; i--) {
       duration <<= 8;
       duration |= (unsigned char)packet[i];
@@ -257,7 +261,7 @@
     }
     ogg_sub.text[0] = realloc(ogg_sub.text[0], OGG_SUB_MAX_LINE);
     while (1) {
-      int c = packet[lcv++];
+      int c = lcv < pack->bytes ? packet[lcv++] : 0;
       if(c=='\n' || c==0 || line_pos >= OGG_SUB_MAX_LINE-1){
 	  ogg_sub.text[ogg_sub.lines][line_pos] = 0; // close sub
           if(line_pos) {