summaryrefslogtreecommitdiffstats
path: root/mplayer.c
diff options
context:
space:
mode:
authorUoti Urpala <uau@glyph.nonexistent.invalid>2009-12-02 12:24:19 +0200
committerUoti Urpala <uau@glyph.nonexistent.invalid>2009-12-02 12:38:13 +0200
commitde11a44bba877d46cfa3b5150cc191453bf97fed (patch)
tree53d44d9937f800ce3b173c8725eb5407f7b1c931 /mplayer.c
parent74fd43cf701e1cd17c7a28cf0898a169004b9242 (diff)
downloadmpv-de11a44bba877d46cfa3b5150cc191453bf97fed.tar.bz2
mpv-de11a44bba877d46cfa3b5150cc191453bf97fed.tar.xz
core: Fix ordered chapter timeline building memory corruption
Two arrays were allocated one element too small, causing writes beyond the allocated area. The bug was triggered when playing a Matroska file with ordered chapters where each chapter came from a different source and none of the sources was the original file. Noticed by Daniel Dawson <ddawson@icehouse.net>
Diffstat (limited to 'mplayer.c')
-rw-r--r--mplayer.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/mplayer.c b/mplayer.c
index 79916914e6..4335705988 100644
--- a/mplayer.c
+++ b/mplayer.c
@@ -2825,11 +2825,13 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx)
struct demuxer *demuxer = mpctx->demuxer;
struct matroska_data *m = &demuxer->matroska_data;
+ // +1 because sources/uid_map[0] is original file even if all chapters
+ // actually use other sources and need separate entries
struct content_source *sources = talloc_array_ptrtype(NULL, sources,
- m->num_ordered_chapters);
+ m->num_ordered_chapters+1);
sources[0].stream = mpctx->stream;
sources[0].demuxer = mpctx->demuxer;
- unsigned char uid_map[m->num_ordered_chapters][16];
+ unsigned char uid_map[m->num_ordered_chapters+1][16];
int num_sources = 1;
memcpy(uid_map[0], m->segment_uid, 16);
@@ -2852,6 +2854,7 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx)
uid_map);
+ // +1 for terminating chapter with start time marking end of last real one
struct timeline_part *timeline = talloc_array_ptrtype(NULL, timeline,
m->num_ordered_chapters + 1);
struct chapter *chapters = talloc_array_ptrtype(NULL, chapters,