From de11a44bba877d46cfa3b5150cc191453bf97fed Mon Sep 17 00:00:00 2001 From: Uoti Urpala Date: Wed, 2 Dec 2009 12:24:19 +0200 Subject: core: Fix ordered chapter timeline building memory corruption Two arrays were allocated one element too small, causing writes beyond the allocated area. The bug was triggered when playing a Matroska file with ordered chapters where each chapter came from a different source and none of the sources was the original file. Noticed by Daniel Dawson --- mplayer.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mplayer.c b/mplayer.c index 79916914e6..4335705988 100644 --- a/mplayer.c +++ b/mplayer.c @@ -2825,11 +2825,13 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx) struct demuxer *demuxer = mpctx->demuxer; struct matroska_data *m = &demuxer->matroska_data; + // +1 because sources/uid_map[0] is original file even if all chapters + // actually use other sources and need separate entries struct content_source *sources = talloc_array_ptrtype(NULL, sources, - m->num_ordered_chapters); + m->num_ordered_chapters+1); sources[0].stream = mpctx->stream; sources[0].demuxer = mpctx->demuxer; - unsigned char uid_map[m->num_ordered_chapters][16]; + unsigned char uid_map[m->num_ordered_chapters+1][16]; int num_sources = 1; memcpy(uid_map[0], m->segment_uid, 16); @@ -2852,6 +2854,7 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx) uid_map); + // +1 for terminating chapter with start time marking end of last real one struct timeline_part *timeline = talloc_array_ptrtype(NULL, timeline, m->num_ordered_chapters + 1); struct chapter *chapters = talloc_array_ptrtype(NULL, chapters, -- cgit v1.2.3