oggdec: check stream index before using it in ogg_get_length()

Fixes crash based on a uninitialized array index read. If the read does not crash then out of array writes based on the same index might have been triggered afterwards. Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-08-05 04:41:34 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2012-08-05 05:08:15 +0200
commit: 9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68 (patch)
tree: ee635ff4450aa1d490df17652c791007eb7251c3 /libavformat
parent: 74c6db05052a1197b485a735a825527685d77567 (diff)
download: ffmpeg-9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index b2d734aeaa..0a4650158d 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -525,7 +525,9 @@ static int ogg_get_length(AVFormatContext *s)
     ogg_save (s);
     avio_seek (s->pb, s->data_offset, SEEK_SET);
     ogg_reset(s);
+    i = -1;
     while (!ogg_packet(s, &i, NULL, NULL, NULL)) {
+        if(i>=0) {
         int64_t pts = ogg_calc_pts(s, i, NULL);
         if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start){
             s->streams[i]->duration -= pts;
@@ -535,6 +537,7 @@ static int ogg_get_length(AVFormatContext *s)
             ogg->streams[i].got_start= 1;
             streams_left--;
         }
+        }
             if(streams_left<=0)
                 break;
     }
author	Michael Niedermayer <michaelni@gmx.at>	2012-08-05 04:41:34 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2012-08-05 05:08:15 +0200
commit	9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68 (patch)
tree	ee635ff4450aa1d490df17652c791007eb7251c3 /libavformat
parent	74c6db05052a1197b485a735a825527685d77567 (diff)
download	ffmpeg-9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68.tar.gz