mov: Do not read past the end of the ctts_data table.
authorAlex Converse <alex.converse@gmail.com>
Wed, 21 Mar 2012 18:24:10 +0000 (11:24 -0700)
committerReinhard Tartler <siretart@tauware.de>
Sun, 29 Apr 2012 20:07:02 +0000 (22:07 +0200)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavformat/mov.c

index 089cdea..c527069 100644 (file)
@@ -2668,7 +2668,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     pkt->stream_index = sc->ffindex;
     pkt->dts = sample->timestamp;
-    if (sc->ctts_data) {
+    if (sc->ctts_data && sc->ctts_index < sc->ctts_count) {
         pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration;
         /* update ctts context */
         sc->ctts_sample++;