From 25a80a931a3829f9d730971dbd269aa39cc273f6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 29 Mar 2013 12:51:51 +0100 Subject: matroska: pass the lace size to the matroska_parse_rm_audio Each lace must be independent according to the specification. Fix heap-buffer-overflow in matroska_parse_block for corrupted real media in mkv files. Stricter check than fc43c19a567aa945398dccb491d972c11ec2a065 CC: libav-stable@libav.org --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libavformat/matroskadec.c') diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 67a3308d7d..5279110312 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2080,7 +2080,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, st->codec->codec_id == AV_CODEC_ID_ATRAC3) && st->codec->block_align && track->audio.sub_packet_size) { - res = matroska_parse_rm_audio(matroska, track, st, data, size, + res = matroska_parse_rm_audio(matroska, track, st, data, + lace_size[n], timecode, duration, pos); if (res) goto end; @@ -2096,7 +2097,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (timecode != AV_NOPTS_VALUE) timecode = duration ? timecode + duration : AV_NOPTS_VALUE; data += lace_size[n]; - size -= lace_size[n]; } end: -- cgit v1.2.3