matroskadec: Fix a bug where a pointer was cached to an array that might later move...
authorChris Evans <cevans@chromium.org>
Thu, 5 Jan 2012 20:19:30 +0000 (21:19 +0100)
committerReinhard Tartler <siretart@tauware.de>
Sat, 7 Jan 2012 21:01:19 +0000 (22:01 +0100)
Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry-picked from commit faaec4676cb4c7a2303d50df66c6290bc96a7657)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavformat/matroskadec.c

index 59dce4f..fad554f 100644 (file)
@@ -1134,7 +1134,6 @@ static void matroska_convert_tags(AVFormatContext *s)
 static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
 {
     EbmlList *seekhead_list = &matroska->seekhead;
-    MatroskaSeekhead *seekhead = seekhead_list->elem;
     uint32_t level_up = matroska->level_up;
     int64_t before_pos = avio_tell(matroska->ctx->pb);
     uint32_t saved_id = matroska->current_id;
@@ -1147,6 +1146,7 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
         return;
 
     for (i=0; i<seekhead_list->nb_elem; i++) {
+        MatroskaSeekhead *seekhead = seekhead_list->elem;
         int64_t offset = seekhead[i].pos + matroska->segment_start;
 
         if (seekhead[i].pos <= before_pos