From: David Conrad <lessen42@gmail.com>
Date: Sun, 7 Mar 2010 02:26:30 +0000 (+0000)
Subject: matroskadec: Fix a buffer overread
X-Git-Url: https://git.sesse.net/?a=commitdiff_plain;h=e48f7ff3cb73fbaba0f5b8d442dc5909f705c863;p=ffmpeg

matroskadec: Fix a buffer overread

Originally committed as revision 22271 to svn://svn.ffmpeg.org/ffmpeg/trunk
---

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 84d06c7283f..5ae1fde977c 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1676,6 +1676,11 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                 int offset = 0, pkt_size = lace_size[n];
                 uint8_t *pkt_data = data;
 
+                if (lace_size[n] > size) {
+                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
+                    break;
+                }
+
                 if (encodings && encodings->scope & 1) {
                     offset = matroska_decode_buffer(&pkt_data,&pkt_size, track);
                     if (offset < 0)
@@ -1727,6 +1732,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
             if (timecode != AV_NOPTS_VALUE)
                 timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
             data += lace_size[n];
+            size -= lace_size[n];
         }
     }