[MPlayer-cvslog] r25350 - in trunk: mpcommon.c spudec.c spudec.h vobsub.c
Reimar Döffinger
Reimar.Doeffinger at stud.uni-karlsruhe.de
Wed Jan 16 21:06:18 CET 2008
Hello,
On Tue, Dec 11, 2007 at 11:12:58AM +0100, ulion wrote:
[...]
> Modified: trunk/vobsub.c
> ==============================================================================
> --- trunk/vobsub.c (original)
> +++ trunk/vobsub.c Tue Dec 11 11:12:58 2007
> @@ -1297,6 +1297,22 @@ vobsub_get_packet(void *vobhandle, float
> unsigned int pts100 = 90000 * pts;
> if (vob->spu_streams && 0 <= vobsub_id && (unsigned) vobsub_id < vob->spu_streams_size) {
> packet_queue_t *queue = vob->spu_streams + vobsub_id;
> +
> + int reseek_count = 0;
> + unsigned int lastpts = 0;
> + while (queue->current_index < queue->packets_size
> + && queue->packets[queue->current_index].pts100 <= pts100) {
> + lastpts = queue->packets[queue->current_index].pts100;
> + ++queue->current_index;
> + ++reseek_count;
> + }
> + while (reseek_count--) {
> + --queue->current_index;
> + if (queue->packets[queue->current_index-1].pts100 != UINT_MAX &&
> + queue->packets[queue->current_index-1].pts100 != lastpts)
> + break;
> + }
This code is wrong, e.g. if queue->current_index == 0 at the start of
the first while, it is possible that reseek_count ==
queue->current_index == 1 in the second while, and the code will do
queue->packets[-1].pts ...
And thus crash.
Not sure what the right fix is, maybe changing
"while (reseek_count--) {" to
"while (reseek_count-- && --queue->current_index) {"
(and of course removing the following "--queue->current_index;" line).
Greetings,
Reimar Döffinger
More information about the MPlayer-cvslog
mailing list