From 9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 5 Aug 2012 04:41:34 +0200
Subject: oggdec: check stream index before using it in ogg_get_length()

Fixes crash based on a uninitialized array index read.
If the read does not crash then out of array writes based
on the same index might have been triggered afterwards.

Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/oggdec.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libavformat/oggdec.c')

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index b2d734aeaa..0a4650158d 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -525,7 +525,9 @@ static int ogg_get_length(AVFormatContext *s)
     ogg_save (s);
     avio_seek (s->pb, s->data_offset, SEEK_SET);
     ogg_reset(s);
+    i = -1;
     while (!ogg_packet(s, &i, NULL, NULL, NULL)) {
+        if(i>=0) {
         int64_t pts = ogg_calc_pts(s, i, NULL);
         if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start){
             s->streams[i]->duration -= pts;
@@ -534,6 +536,7 @@ static int ogg_get_length(AVFormatContext *s)
         }else if(s->streams[i]->start_time != AV_NOPTS_VALUE && !ogg->streams[i].got_start){
             ogg->streams[i].got_start= 1;
             streams_left--;
+        }
         }
             if(streams_left<=0)
                 break;
-- 
cgit v1.2.3