Commit 4bc422b0 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Really fix the real overflow

parent a8e4f023
...@@ -925,14 +925,14 @@ static void ReadRealIndex( demux_t *p_demux ) ...@@ -925,14 +925,14 @@ static void ReadRealIndex( demux_t *p_demux )
msg_Dbg( p_demux, "Real Index : num : %d ", i_index_count ); msg_Dbg( p_demux, "Real Index : num : %d ", i_index_count );
if( i_index_count == 0 ) if( i_index_count > ( 0xffffffff / sizeof( rm_index_t ) ) )
return; return;
if( GetDWBE( &buffer[16] ) > 0 ) if( GetDWBE( &buffer[16] ) > 0 )
msg_Dbg( p_demux, "Real Index: Does next index exist? %d ", msg_Dbg( p_demux, "Real Index: Does next index exist? %d ",
GetDWBE( &buffer[16] ) ); GetDWBE( &buffer[16] ) );
p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) ); p_sys->p_index = malloc( ( i_index_count + 1 ) * sizeof( rm_index_t ) );
if( p_sys->p_index == NULL ) if( p_sys->p_index == NULL )
{ {
msg_Err( p_demux, "Memory allocation error" ); msg_Err( p_demux, "Memory allocation error" );
...@@ -954,12 +954,13 @@ static void ReadRealIndex( demux_t *p_demux ) ...@@ -954,12 +954,13 @@ static void ReadRealIndex( demux_t *p_demux )
p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] ); p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] );
p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] ); p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] );
p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] ); p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] );
msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ", msg_Dbg( p_demux,
p_sys->p_index[i].time_offset, "Real Index: time %"PRIu32" file %"PRIu32" frame %"PRIu32,
p_sys->p_index[i].file_offset, p_sys->p_index[i].time_offset,
p_sys->p_index[i].frame_index ); p_sys->p_index[i].file_offset,
p_sys->p_index[i].frame_index );
} }
memset( p_sys->p_index + i_index_count, 0, sizeof( rm_index_t ) );
} }
/***************************************************************************** /*****************************************************************************
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment