[MPlayer-cvslog] r25350 - in trunk: mpcommon.c spudec.c spudec.h vobsub.c

Reimar Döffinger Reimar.Doeffinger at stud.uni-karlsruhe.de
Wed Jan 16 21:06:18 CET 2008


Hello,
On Tue, Dec 11, 2007 at 11:12:58AM +0100, ulion wrote:
[...]
> Modified: trunk/vobsub.c
> ==============================================================================
> --- trunk/vobsub.c	(original)
> +++ trunk/vobsub.c	Tue Dec 11 11:12:58 2007
> @@ -1297,6 +1297,22 @@ vobsub_get_packet(void *vobhandle, float
>    unsigned int pts100 = 90000 * pts;
>    if (vob->spu_streams && 0 <= vobsub_id && (unsigned) vobsub_id < vob->spu_streams_size) {
>      packet_queue_t *queue = vob->spu_streams + vobsub_id;
> +
> +    int reseek_count = 0;
> +    unsigned int lastpts = 0;
> +    while (queue->current_index < queue->packets_size
> +            && queue->packets[queue->current_index].pts100 <= pts100) {
> +      lastpts = queue->packets[queue->current_index].pts100;
> +      ++queue->current_index;
> +      ++reseek_count;
> +    }
> +    while (reseek_count--) {
> +      --queue->current_index;
> +      if (queue->packets[queue->current_index-1].pts100 != UINT_MAX &&
> +          queue->packets[queue->current_index-1].pts100 != lastpts)
> +        break;
> +    }

This code is wrong, e.g. if queue->current_index == 0 at the start of
the first while, it is possible that reseek_count ==
queue->current_index == 1 in the second while, and the code will do
queue->packets[-1].pts ...
And thus crash.
Not sure what the right fix is, maybe changing
"while (reseek_count--) {" to
"while (reseek_count-- && --queue->current_index) {"
(and of course removing the following "--queue->current_index;" line).

Greetings,
Reimar Döffinger



More information about the MPlayer-cvslog mailing list