From 12e251c29e1be905ab35c4caed9a6d926c1825b0 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Tue, 16 Aug 2016 10:48:54 +0200
Subject: demux: fix undefined behavior with ogg metadata update

When an ogg track upodates metadata, we have to perform a complicated
runtime update due to the demux.c architecture. A detail was broken and
an array was allocated with the previous number of streams, which
usually led to invalid memory write accesses at least on the first
update.

See github commit comment on commit b9ba9a89.
---
 demux/demux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'demux/demux.c')

diff --git a/demux/demux.c b/demux/demux.c
index 648e629f77..0c42efee92 100644
--- a/demux/demux.c
+++ b/demux/demux.c
@@ -1039,10 +1039,10 @@ static void demux_copy(struct demuxer *dst, struct demuxer *src)
         dst->metadata = mp_tags_dup(dst, src->metadata);
 
         if (dst->num_update_stream_tags != src->num_update_stream_tags) {
+            dst->num_update_stream_tags = src->num_update_stream_tags;
             talloc_free(dst->update_stream_tags);
             dst->update_stream_tags =
                 talloc_zero_array(dst, struct mp_tags *, dst->num_update_stream_tags);
-            dst->num_update_stream_tags = src->num_update_stream_tags;
         }
         for (int n = 0; n < dst->num_update_stream_tags; n++) {
             talloc_free(dst->update_stream_tags[n]);
-- 
cgit v1.2.3