[MPlayer-dev-eng] [Possible bug]crash when decoding some rmvb files

[??]

Hi,

Recently I found MPlayer sometimes crashed when playing some rmvb files,
and I 
did a little debug, the problem seems to be in these codes:

demux_real.c:
add_index_item:

=======
if (priv->index_table_size[stream_id] >=
priv->index_malloc_size[stream_id])
{
      if (priv->index_malloc_size[stream_id] == 0)
        priv->index_malloc_size[stream_id] = 2048;
      else
        priv->index_malloc_size[stream_id] += 
priv->index_malloc_size[stream_id] / 2;
      priv->index_table[stream_id] =
      realloc(priv->index_table[stream_id], 
priv->index_malloc_size[stream_id]*sizeof(priv->index_table[0][0]));
}

if (priv->index_table_size[stream_id] > 0)
    {
      index =
      &priv->index_table[stream_id][priv->index_table_size[stream_id] 
- 1];
...
=======

(sorry for the linebreaks:(), the code is part of the runtime index 
generation, and it seems the code is trying to enlarge the
priv->index_table 
the add new indexs, but after the first if, I think the index_table can
be 
smaller than index_table_size, so mplayer crashed in the second if.
These 
code works well when mplayer do use runtime generation, add index item
one by 
one. But in some situation, mplayer first read all the index from the
index 
chunk, then tried to generate index, then index_table_size will be very 
large, and index_malloc_size will not be bigger even after the first if.
Seem 
some conflict between the runtime index generation and the old index
chunk 
reading.

BTW, it seems very strange that only some rmvb crashed in these codes,
most 
rmvb/rm works well. Someone have any idea about this? And submit some
sample 
could be difficult, because I have to upload the complete file, or
mplayer 
will discard the index chunk.

-- 
Best Regards,
LR
-- 
  ??
  hephooey at fastmail.fm