From 59eaa8ed7e9bc9649e087e427a4136862bb47e51 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Sat, 13 Apr 2013 19:17:16 +0200
Subject: demux_mkv: verify laces separately, and in all cases

---
 demux/demux_mkv.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c
index aa0ab47fad..785c9eaae3 100644
--- a/demux/demux_mkv.c
+++ b/demux/demux_mkv.c
@@ -1824,8 +1824,6 @@ static int demux_mkv_read_block_lacing(bstr *buffer, int *laces,
                         goto error;
                     lace_size[i] += t;
                 } while (t == 0xFF);
-                if (lace_size[i] > buffer->len - total || total > buffer->len)
-                    goto error;
                 total += lace_size[i];
             }
             lace_size[i] = buffer->len - total;
@@ -1849,14 +1847,22 @@ static int demux_mkv_read_block_lacing(bstr *buffer, int *laces,
                 if (snum == EBML_INT_INVALID)
                     goto error;
                 lace_size[i] = lace_size[i - 1] + snum;
-                if (lace_size[i] > buffer->len - total || total > buffer->len)
-                    goto error;
                 total += lace_size[i];
             }
             lace_size[i] = buffer->len - total;
             break;
         }
     }
+
+    total = buffer->len;
+    for (i = 0; i < *laces; i++) {
+        if (lace_size[i] > total)
+            goto error;
+        total -= lace_size[i];
+    }
+    if (total != 0)
+        goto error;
+
     return 0;
 
  error:
-- 
cgit v1.2.3