matroska: pass the lace size to the matroska_parse_rm_audio

Each lace must be independent according to the specification. Fix heap-buffer-overflow in matroska_parse_block for corrupted real media in mkv files. Stricter check than fc43c19a567aa945398dccb491d972c11ec2a065 CC: libav-stable@libav.org
author: Luca Barbato 2013-03-29 12:51:51 +0100
committer: Luca Barbato 2013-04-03 12:34:38 +0200
commit: 25a80a931a3829f9d730971dbd269aa39cc273f6 (patch)
tree: a4630146a7ee48b417bf8256bb0cbcc5cffb0205
parent: 8a96df7b70be509dae9ceec82d2c10a20361356d (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 67a3308d7d..5279110312 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2080,7 +2080,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
              st->codec->codec_id == AV_CODEC_ID_ATRAC3) &&
              st->codec->block_align && track->audio.sub_packet_size) {
 
-            res = matroska_parse_rm_audio(matroska, track, st, data, size,
+            res = matroska_parse_rm_audio(matroska, track, st, data,
+                                          lace_size[n],
                                           timecode, duration, pos);
             if (res)
                 goto end;
@@ -2096,7 +2097,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
         if (timecode != AV_NOPTS_VALUE)
             timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
         data += lace_size[n];
-        size -= lace_size[n];
     }
 
 end:
author	Luca Barbato	2013-03-29 12:51:51 +0100
committer	Luca Barbato	2013-04-03 12:34:38 +0200
commit	25a80a931a3829f9d730971dbd269aa39cc273f6 (patch)
tree	a4630146a7ee48b417bf8256bb0cbcc5cffb0205
parent	8a96df7b70be509dae9ceec82d2c10a20361356d (diff)