# HG changeset patch
# User reimar
# Date 1170786656 0
# Node ID f4f90f0f5d2beb859736930a09ccae993396262b
# Parent  9b6273ea9ce9e9fbc630beaef2bb80178cc72bb6
Add missing checks in RealVideo slice handling code.

diff -r 9b6273ea9ce9 -r f4f90f0f5d2b libmpcodecs/vd_ffmpeg.c
--- a/libmpcodecs/vd_ffmpeg.c	Tue Feb 06 13:56:40 2007 +0000
+++ b/libmpcodecs/vd_ffmpeg.c	Tue Feb 06 18:30:56 2007 +0000
@@ -764,15 +764,17 @@
     if(sh->bih->biSize>=sizeof(*sh->bih)+8){
         int i;
         dp_hdr_t *hdr= (dp_hdr_t*)data;
+        uint32_t *offsets = (uint32_t*)(data + hdr->chunktab) + 1;
+        char *end = data + len;
 
         if(avctx->slice_offset==NULL) 
             avctx->slice_offset= av_malloc(sizeof(int)*1000);
         
 //        for(i=0; i<25; i++) printf("%02X ", ((uint8_t*)data)[i]);
         
-        avctx->slice_count= hdr->chunks+1;
-        for(i=0; i<avctx->slice_count; i++)
-            avctx->slice_offset[i]= ((uint32_t*)(data+hdr->chunktab))[2*i+1];
+        avctx->slice_count= FFMIN(hdr->chunks+1, 1000);
+        for(i=0; i<avctx->slice_count && end >= &offsets[2*i+1]; i++)
+            avctx->slice_offset[i]= offsets[2*i];
 	len=hdr->len;
         data+= sizeof(dp_hdr_t);
     }