matroska: pass the lace size to the matroska_parse_rm_audio

Each lace must be independent according to the specification. Fix heap-buffer-overflow in matroska_parse_block for corrupted real media in mkv files. Stricter check than fc43c19a CC: libav-stable@libav.org

matroska: pass the lace size to the matroska_parse_rm_audio
Each lace must be independent according to the specification. Fix heap-buffer-overflow in matroska_parse_block for corrupted real media in mkv files. Stricter check than fc43c19a CC: libav-stable@libav.org
25a80a93 · Luca Barbato · 8a96df7b · 25a80a93
Commit 25a80a93 authored Mar 29, 2013 by Luca Barbato
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

matroskadec.c libavformat/matroskadec.c +2 -2

No files found.
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2080,7 +2080,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
             st->codec->codec_id == AV_CODEC_ID_ATRAC3) &&
             st->codec->block_align && track->audio.sub_packet_size) {
-            res = matroska_parse_rm_audio(matroska, track, st, data, size,
+            res = matroska_parse_rm_audio(matroska, track, st, data,
+                                          lace_size[n],
                                          timecode, duration, pos);
            if (res)
                goto end;
@@ -2096,7 +2097,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
        if (timecode != AV_NOPTS_VALUE)
            timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
        data += lace_size[n];
-        size -= lace_size[n];
    }
 end: