core: Fix ordered chapter timeline building memory corruption

Two arrays were allocated one element too small, causing writes beyond the allocated area. The bug was triggered when playing a Matroska file with ordered chapters where each chapter came from a different source and none of the sources was the original file. Noticed by Daniel Dawson <ddawson@icehouse.net>
2025-02-06 07:01:45 +00:00 · 2009-12-02 12:24:19 +02:00 · 2009-12-02 12:24:19 +02:00 · de11a44bba
commit de11a44bba
parent 74fd43cf70
1 changed files with 5 additions and 2 deletions
--- a/mplayer.c
+++ b/mplayer.c
@ -2825,11 +2825,13 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx)
    struct demuxer *demuxer = mpctx->demuxer;
    struct matroska_data *m = &demuxer->matroska_data;

+    // +1 because sources/uid_map[0] is original file even if all chapters
+    // actually use other sources and need separate entries
    struct content_source *sources = talloc_array_ptrtype(NULL, sources,
-                                                   m->num_ordered_chapters);
+                                                   m->num_ordered_chapters+1);
    sources[0].stream = mpctx->stream;
    sources[0].demuxer = mpctx->demuxer;
-    unsigned char uid_map[m->num_ordered_chapters][16];
+    unsigned char uid_map[m->num_ordered_chapters+1][16];
    int num_sources = 1;
    memcpy(uid_map[0], m->segment_uid, 16);

@ -2852,6 +2854,7 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx)
                                               uid_map);


+    // +1 for terminating chapter with start time marking end of last real one
    struct timeline_part *timeline = talloc_array_ptrtype(NULL, timeline,
                                                  m->num_ordered_chapters + 1);
    struct chapter *chapters = talloc_array_ptrtype(NULL, chapters,