785ec1fe86
- buffer overflow in stream_cddb.c - buffer overflow in url.c - buffer overflow in demux_mov.c - stack overflow in demux_audio.c from brad@, ok maintainer also remove reference to rtunes_ao.diff from distinfo. this patch is not used now because it does not apply.
37 lines
1.3 KiB
Plaintext
37 lines
1.3 KiB
Plaintext
$OpenBSD: patch-libmpdemux_demux_mov_c,v 1.3 2008/02/11 00:22:03 jakemsr Exp $
|
|
--- libmpdemux/demux_mov.c.orig Fri Feb 8 13:29:41 2008
|
|
+++ libmpdemux/demux_mov.c Fri Feb 8 13:31:59 2008
|
|
@@ -173,11 +173,12 @@ void mov_build_index(mov_track_t* trak,int timescale){
|
|
i=trak->chunkmap_size;
|
|
while(i>0){
|
|
--i;
|
|
- for(j=trak->chunkmap[i].first;j<last;j++){
|
|
+ j=FFMAX(trak->chunkmap[i].first, 0);
|
|
+ for(;j<last;j++){
|
|
trak->chunks[j].desc=trak->chunkmap[i].sdid;
|
|
trak->chunks[j].size=trak->chunkmap[i].spc;
|
|
}
|
|
- last=trak->chunkmap[i].first;
|
|
+ last=FFMIN(trak->chunkmap[i].first, trak->chunks_size);
|
|
}
|
|
|
|
#if 0
|
|
@@ -235,6 +236,8 @@ void mov_build_index(mov_track_t* trak,int timescale){
|
|
s=0;
|
|
for(j=0;j<trak->durmap_size;j++){
|
|
for(i=0;i<trak->durmap[j].num;i++){
|
|
+ if (s >= trak->samples_size)
|
|
+ break;
|
|
trak->samples[s].pts=pts;
|
|
++s;
|
|
pts+=trak->durmap[j].dur;
|
|
@@ -246,6 +249,8 @@ void mov_build_index(mov_track_t* trak,int timescale){
|
|
for(j=0;j<trak->chunks_size;j++){
|
|
off_t pos=trak->chunks[j].pos;
|
|
for(i=0;i<trak->chunks[j].size;i++){
|
|
+ if (s >= trak->samples_size)
|
|
+ break;
|
|
trak->samples[s].pos=pos;
|
|
mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d off=0x%08X size=%d\n",s,
|
|
trak->samples[s].pts,
|