From fe53fa253f4a54f715249f0d88f7320ae0f65df5 Mon Sep 17 00:00:00 2001
From: Aurelien Jacobs <aurel@gnuage.org>
Date: Mon, 2 Jun 2008 23:07:41 +0000
Subject: [PATCH] reorganize matroska_add_stream() to fix potential mem leak
 and buffer overflow fix CID44

Originally committed as revision 13634 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/matroskadec.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 11426307feb..e20332945f2 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1021,17 +1021,16 @@ matroska_add_stream (MatroskaDemuxContext *matroska)
     uint32_t id;
     MatroskaTrack *track;
 
+    /* start with the master */
+    if ((res = ebml_read_master(matroska, &id)) < 0)
+        return res;
+
     av_log(matroska->ctx, AV_LOG_DEBUG, "parsing track, adding stream..,\n");
 
     /* Allocate a generic track. As soon as we know its type we'll realloc. */
     track = av_mallocz(MAX_TRACK_SIZE);
-    matroska->num_tracks++;
     strcpy(track->language, "eng");
 
-    /* start with the master */
-    if ((res = ebml_read_master(matroska, &id)) < 0)
-        return res;
-
     /* try reading the trackentry headers */
     while (res == 0) {
         if (!(id = ebml_peek_id(matroska, &matroska->level_up))) {
@@ -1088,7 +1087,6 @@ matroska_add_stream (MatroskaDemuxContext *matroska)
                         track->type = MATROSKA_TRACK_TYPE_NONE;
                         break;
                 }
-                matroska->tracks[matroska->num_tracks - 1] = track;
                 break;
             }
 
@@ -1623,6 +1621,11 @@ matroska_add_stream (MatroskaDemuxContext *matroska)
         }
     }
 
+    if (track->type && matroska->num_tracks < ARRAY_SIZE(matroska->tracks)) {
+        matroska->tracks[matroska->num_tracks++] = track;
+    } else {
+        av_free(track);
+    }
     return res;
 }
 
-- 
GitLab