Fix handling of dirac EOSdataunit.

 - Fixes infinite loop when next_parse_offset = 0
 - Fixes memory access to invalid data with malformed ogg input.
Signed-off-by: David Flynn <davidf@woaf.net>
Signed-off-by: Derk-Jan Hartman <hartman@videolan.org>

modules/codec/schroedinger.c

@@ -435,6 +435,10 @@ static picture_t *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
             size_t i_pulen = GetDWBE( p_block->p_buffer + i_bufused + 5 );
             uint8_t *p_pu = p_block->p_buffer + i_bufused;
 
+            if( 0 == i_pulen ) {
+                i_pulen = 13;
+            }
+
             /* blocks that do not start with the parse info prefix are invalid */
             if( p_pu[0] != 'B' || p_pu[1] != 'B' ||
                 p_pu[2] != 'C' || p_pu[3] != 'D')

modules/demux/ogg.c

@@ -1556,18 +1556,19 @@ static void Ogg_ReadAnnodexHeader( vlc_object_t *p_this,
 static uint32_t Ogg_ReadDiracPictureNumber( ogg_packet *p_oggpacket )
 {
     uint32_t u_pos = 4;
+    /* protect against falling off the edge */
+    while ( u_pos + 13 < p_oggpacket->bytes ) {
         /* find the picture startcode */
-    while ( (p_oggpacket->packet[u_pos] & 0x08) == 0) {
+        if ( p_oggpacket->packet[u_pos] & 0x08 ) {
+            return GetDWBE( p_oggpacket->packet + u_pos + 9 );
+        }
         /* skip to the next dirac parse unit */
-        u_pos += GetDWBE( p_oggpacket->packet + u_pos + 1 );
-        /* protect against falling off the edge */
-        if ( u_pos > p_oggpacket->bytes )
-             return -1;
+        uint32_t u_npo = GetDWBE( p_oggpacket->packet + u_pos + 1 );
+        if (u_npo == 0)
+            u_npo = 13;
+        u_pos += u_npo;
     }
-
-    uint32_t u_pnum = GetDWBE( p_oggpacket->packet + u_pos + 9 );
-
-    return u_pnum;
+    return -1;
 }
 
 static uint32_t dirac_uint( bs_t *p_bs )