Mercurial > mplayer.hg
changeset 20494:30fce0f93ad1
Make sure we do not read beyond end of subtitle packet
author | reimar |
---|---|
date | Sun, 29 Oct 2006 13:17:26 +0000 |
parents | e8d37db54bf5 |
children | 27c1fa3a228e |
files | libmpdemux/demux_ogg.c |
diffstat | 1 files changed, 5 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/libmpdemux/demux_ogg.c Sun Oct 29 12:44:15 2006 +0000 +++ b/libmpdemux/demux_ogg.c Sun Oct 29 13:17:26 2006 +0000 @@ -231,6 +231,8 @@ int ignoring = 0; char *packet = pack->packet; + if (pack->bytes < 4) + return; mp_msg(MSGT_DEMUX,MSGL_DBG2,"\ndemux_ogg_add_sub %02X %02X %02X '%s'\n", (unsigned char)packet[0], (unsigned char)packet[1], @@ -244,6 +246,8 @@ int16_t hdrlen = (*packet & PACKET_LEN_BITS01)>>6, i; hdrlen |= (*packet & PACKET_LEN_BITS2) <<1; lcv = 1 + hdrlen; + if (pack->bytes < lcv) + return; for (i = hdrlen; i > 0; i--) { duration <<= 8; duration |= (unsigned char)packet[i]; @@ -257,7 +261,7 @@ } ogg_sub.text[0] = realloc(ogg_sub.text[0], OGG_SUB_MAX_LINE); while (1) { - int c = packet[lcv++]; + int c = lcv < pack->bytes ? packet[lcv++] : 0; if(c=='\n' || c==0 || line_pos >= OGG_SUB_MAX_LINE-1){ ogg_sub.text[ogg_sub.lines][line_pos] = 0; // close sub if(line_pos) {