Commit 4bc422b0 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Really fix the real overflow

parent a8e4f023
......@@ -925,14 +925,14 @@ static void ReadRealIndex( demux_t *p_demux )
msg_Dbg( p_demux, "Real Index : num : %d ", i_index_count );
if( i_index_count == 0 )
if( i_index_count > ( 0xffffffff / sizeof( rm_index_t ) ) )
return;
if( GetDWBE( &buffer[16] ) > 0 )
msg_Dbg( p_demux, "Real Index: Does next index exist? %d ",
GetDWBE( &buffer[16] ) );
p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) );
p_sys->p_index = malloc( ( i_index_count + 1 ) * sizeof( rm_index_t ) );
if( p_sys->p_index == NULL )
{
msg_Err( p_demux, "Memory allocation error" );
......@@ -954,12 +954,13 @@ static void ReadRealIndex( demux_t *p_demux )
p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] );
p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] );
p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] );
msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ",
msg_Dbg( p_demux,
"Real Index: time %"PRIu32" file %"PRIu32" frame %"PRIu32,
p_sys->p_index[i].time_offset,
p_sys->p_index[i].file_offset,
p_sys->p_index[i].frame_index );
}
memset( p_sys->p_index + i_index_count, 0, sizeof( rm_index_t ) );
}
/*****************************************************************************
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment