matroskaenc: fix cue tracknum off by 1 error

Fixes out of array accesses Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2013-02-23 23:05:44 +01:00 · 2013-02-23 23:05:44 +01:00 · 285485ac5f
parent 73fce258b7
commit 285485ac5f
1 changed files with 4 additions and 2 deletions
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@ -407,9 +407,11 @@ static int64_t mkv_write_cues(AVIOContext *pb, mkv_cues *cues, mkv_track *tracks
        for (j = 0; j < num_tracks; j++)
            tracks[j].has_cue = 0;
        for (j = 0; j < cues->num_entries - i && entry[j].pts == pts; j++) {
-            if (tracks[entry[j].tracknum].has_cue)
+            int tracknum = entry[j].tracknum - 1;
+            av_assert0(tracknum>=0 && tracknum<num_tracks);
+            if (tracks[tracknum].has_cue)
                continue;
-            tracks[entry[j].tracknum].has_cue = 1;
+            tracks[tracknum].has_cue = 1;
            track_positions = start_ebml_master(pb, MATROSKA_ID_CUETRACKPOSITION, MAX_CUETRACKPOS_SIZE);
            put_ebml_uint(pb, MATROSKA_ID_CUETRACK          , entry[j].tracknum   );
            put_ebml_uint(pb, MATROSKA_ID_CUECLUSTERPOSITION, entry[j].cluster_pos);