[FFmpeg-cvslog] matroska: pass the lace size to the matroska_parse_rm_audio

[Luca Barbato]

ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Fri Mar 29 12:51:51 2013 +0100| [09e391abd81c3298e230bebb3c4ce159a259d871] | committer: Reinhard Tartler

matroska: pass the lace size to the matroska_parse_rm_audio

Each lace must be independent according to the specification.

Fix heap-buffer-overflow in matroska_parse_block for
corrupted real media in mkv files.

Stricter check than fc43c19a567aa945398dccb491d972c11ec2a065

CC: libav-stable at libav.org
(cherry picked from commit 25a80a931a3829f9d730971dbd269aa39cc273f6)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09e391abd81c3298e230bebb3c4ce159a259d871
---

 libavformat/matroskadec.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 5e94b72..147c24c 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2081,7 +2081,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
              st->codec->codec_id == AV_CODEC_ID_ATRAC3) &&
              st->codec->block_align && track->audio.sub_packet_size) {
 
-            res = matroska_parse_rm_audio(matroska, track, st, data, size,
+            res = matroska_parse_rm_audio(matroska, track, st, data,
+                                          lace_size[n],
                                           timecode, duration, pos);
             if (res)
                 goto end;
@@ -2097,7 +2098,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
         if (timecode != AV_NOPTS_VALUE)
             timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
         data += lace_size[n];
-        size -= lace_size[n];
     }
 
 end: