mirror of https://github.com/mpv-player/mpv
core: Fix ordered chapter timeline building memory corruption
Two arrays were allocated one element too small, causing writes beyond the allocated area. The bug was triggered when playing a Matroska file with ordered chapters where each chapter came from a different source and none of the sources was the original file. Noticed by Daniel Dawson <ddawson@icehouse.net>
This commit is contained in:
parent
74fd43cf70
commit
de11a44bba
|
@ -2825,11 +2825,13 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx)
|
||||||
struct demuxer *demuxer = mpctx->demuxer;
|
struct demuxer *demuxer = mpctx->demuxer;
|
||||||
struct matroska_data *m = &demuxer->matroska_data;
|
struct matroska_data *m = &demuxer->matroska_data;
|
||||||
|
|
||||||
|
// +1 because sources/uid_map[0] is original file even if all chapters
|
||||||
|
// actually use other sources and need separate entries
|
||||||
struct content_source *sources = talloc_array_ptrtype(NULL, sources,
|
struct content_source *sources = talloc_array_ptrtype(NULL, sources,
|
||||||
m->num_ordered_chapters);
|
m->num_ordered_chapters+1);
|
||||||
sources[0].stream = mpctx->stream;
|
sources[0].stream = mpctx->stream;
|
||||||
sources[0].demuxer = mpctx->demuxer;
|
sources[0].demuxer = mpctx->demuxer;
|
||||||
unsigned char uid_map[m->num_ordered_chapters][16];
|
unsigned char uid_map[m->num_ordered_chapters+1][16];
|
||||||
int num_sources = 1;
|
int num_sources = 1;
|
||||||
memcpy(uid_map[0], m->segment_uid, 16);
|
memcpy(uid_map[0], m->segment_uid, 16);
|
||||||
|
|
||||||
|
@ -2852,6 +2854,7 @@ static void build_ordered_chapter_timeline(struct MPContext *mpctx)
|
||||||
uid_map);
|
uid_map);
|
||||||
|
|
||||||
|
|
||||||
|
// +1 for terminating chapter with start time marking end of last real one
|
||||||
struct timeline_part *timeline = talloc_array_ptrtype(NULL, timeline,
|
struct timeline_part *timeline = talloc_array_ptrtype(NULL, timeline,
|
||||||
m->num_ordered_chapters + 1);
|
m->num_ordered_chapters + 1);
|
||||||
struct chapter *chapters = talloc_array_ptrtype(NULL, chapters,
|
struct chapter *chapters = talloc_array_ptrtype(NULL, chapters,
|
||||||
|
|
Loading…
Reference in New Issue