matroskadec: Fix a buffer overread

Originally committed as revision 22271 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: David Conrad <lessen42@gmail.com> 2010-03-07 02:26:30 +0000
committer: David Conrad <lessen42@gmail.com> 2010-03-07 02:26:30 +0000
commit: e48f7ff3cb73fbaba0f5b8d442dc5909f705c863 (patch)
tree: 7995b17921ee8e63ee2f17afc055d49ea07a5852 /libavformat/matroskadec.c
parent: d5dfecb1eaeea4a8498d2135e3e5bbc3d7bbc567 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 84d06c7283..5ae1fde977 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1676,6 +1676,11 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                 int offset = 0, pkt_size = lace_size[n];
                 uint8_t *pkt_data = data;
 
+                if (lace_size[n] > size) {
+                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
+                    break;
+                }
+
                 if (encodings && encodings->scope & 1) {
                     offset = matroska_decode_buffer(&pkt_data,&pkt_size, track);
                     if (offset < 0)
@@ -1727,6 +1732,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
             if (timecode != AV_NOPTS_VALUE)
                 timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
             data += lace_size[n];
+            size -= lace_size[n];
         }
     }
author	David Conrad <lessen42@gmail.com>	2010-03-07 02:26:30 +0000
committer	David Conrad <lessen42@gmail.com>	2010-03-07 02:26:30 +0000
commit	e48f7ff3cb73fbaba0f5b8d442dc5909f705c863 (patch)
tree	7995b17921ee8e63ee2f17afc055d49ea07a5852 /libavformat/matroskadec.c
parent	d5dfecb1eaeea4a8498d2135e3e5bbc3d7bbc567 (diff)