# HG changeset patch
# User reimar
# Date 1189696737 0
# Node ID 50159082a80b6077266515d53a6682543e687019
# Parent  46a7d8c0aaeb470f747beaf790c3def27cb860e3
Check wLongsPerEntry before using it.
This fixes a potential crash for some values of it.
As a side effect it works around broken callocs with an integer
overflow vulnerability, but using MPlayer on such systems should
never be assumed to be safe!

diff -r 46a7d8c0aaeb -r 50159082a80b libmpdemux/aviheader.c
--- a/libmpdemux/aviheader.c	Thu Sep 13 14:12:06 2007 +0000
+++ b/libmpdemux/aviheader.c	Thu Sep 13 15:18:57 2007 +0000
@@ -233,16 +233,16 @@
 	  
       print_avisuperindex_chunk(s,MSGL_V);
       
+      // Check and fix this useless crap
+      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
+          mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
+          s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
+      }
       if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
         mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
         s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
       }
 
-      // Check and fix this useless crap
-      if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
-          mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
-          s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
-      }
       s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
       s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));