oggdec: check stream index before using it in ogg_get_length()

Fixes crash based on a uninitialized array index read. If the read does not crash then out of array writes based on the same index might have been triggered afterwards. Found-by: [email protected] Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68) Signed-off-by: Michael Niedermayer <[email protected]>
author: Michael Niedermayer <[email protected]> 2012-08-05 04:41:34 +0200
committer: Michael Niedermayer <[email protected]> 2012-08-06 16:51:59 +0200
commit: 606538df6c05df51aa811cef0c0bccb7499cc4a1 (patch)
tree: 025bb06073fe055397727a5ca4701c47abb96e16
parent: a19010f7a6bc9e37b22e5b19d5eaba84d404b2f4 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index d30c17cc2a..6df48315d6 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -524,7 +524,9 @@ static int ogg_get_length(AVFormatContext *s)
     ogg_save (s);
     avio_seek (s->pb, s->data_offset, SEEK_SET);
     ogg_reset(s);
+    i = -1;
     while (!ogg_packet(s, &i, NULL, NULL, NULL)) {
+        if(i>=0) {
         int64_t pts = ogg_calc_pts(s, i, NULL);
         if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start){
             s->streams[i]->duration -= pts;
@@ -534,6 +536,7 @@ static int ogg_get_length(AVFormatContext *s)
             ogg->streams[i].got_start= 1;
             streams_left--;
         }
+        }
             if(streams_left<=0)
                 break;
     }
author	Michael Niedermayer <[email protected]>	2012-08-05 04:41:34 +0200
committer	Michael Niedermayer <[email protected]>	2012-08-06 16:51:59 +0200
commit	606538df6c05df51aa811cef0c0bccb7499cc4a1 (patch)
tree	025bb06073fe055397727a5ca4701c47abb96e16
parent	a19010f7a6bc9e37b22e5b19d5eaba84d404b2f4 (diff)