diff options
author | Uoti Urpala <uau@glyph.nonexistent.invalid> | 2009-12-02 12:24:19 +0200 |
---|---|---|
committer | Uoti Urpala <uau@glyph.nonexistent.invalid> | 2009-12-02 12:38:13 +0200 |
commit | de11a44bba877d46cfa3b5150cc191453bf97fed (patch) | |
tree | 53d44d9937f800ce3b173c8725eb5407f7b1c931 /mplayer.c | |
parent | 74fd43cf701e1cd17c7a28cf0898a169004b9242 (diff) | |
download | mpv-de11a44bba877d46cfa3b5150cc191453bf97fed.tar.bz2 mpv-de11a44bba877d46cfa3b5150cc191453bf97fed.tar.xz |
core: Fix ordered chapter timeline building memory corruption
Two arrays were allocated one element too small, causing writes beyond
the allocated area. The bug was triggered when playing a Matroska file
with ordered chapters where each chapter came from a different source
and none of the sources was the original file.
Noticed by Daniel Dawson <ddawson@icehouse.net>
Diffstat (limited to 'mplayer.c')
-rw-r--r-- | mplayer.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -2825,11 +2825,13 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx) struct demuxer *demuxer = mpctx->demuxer; struct matroska_data *m = &demuxer->matroska_data; + // +1 because sources/uid_map[0] is original file even if all chapters + // actually use other sources and need separate entries struct content_source *sources = talloc_array_ptrtype(NULL, sources, - m->num_ordered_chapters); + m->num_ordered_chapters+1); sources[0].stream = mpctx->stream; sources[0].demuxer = mpctx->demuxer; - unsigned char uid_map[m->num_ordered_chapters][16]; + unsigned char uid_map[m->num_ordered_chapters+1][16]; int num_sources = 1; memcpy(uid_map[0], m->segment_uid, 16); @@ -2852,6 +2854,7 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx) uid_map); + // +1 for terminating chapter with start time marking end of last real one struct timeline_part *timeline = talloc_array_ptrtype(NULL, timeline, m->num_ordered_chapters + 1); struct chapter *chapters = talloc_array_ptrtype(NULL, chapters, |