From 2f215bf9d456bbad04178a89e2f25062534264ba Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rbultje@ronald.bitfreak.net>
Date: Sun, 7 Mar 2004 04:03:27 +0000
Subject: gst/qtdemux/qtdemux.c: Fix crash (j might be greater than n_samples,
 in which case we're writing outside the allocate...

Original commit message from CVS:
* gst/qtdemux/qtdemux.c: (gst_qtdemux_add_stream),
(qtdemux_parse_trak):
Fix crash (j might be greater than n_samples, in which case we're
writing outside the allocated space for the array) and memleak.
---
 ChangeLog             |  7 +++++++
 gst/qtdemux/qtdemux.c | 12 +++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index da7e7e3d..21af3a43 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2004-03-06  Ronald Bultje  <rbultje@ronald.bitfreak.net>
+
+	* gst/qtdemux/qtdemux.c: (gst_qtdemux_add_stream),
+	(qtdemux_parse_trak):
+	  Fix crash (j might be greater than n_samples, in which case we're
+	  writing outside the allocated space for the array) and memleak.
+
 2004-03-06  Ronald Bultje  <rbultje@ronald.bitfreak.net>
 
 	* sys/oss/gstosssink.c: (gst_osssink_chain):
diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c
index 5ce3807b..38267655 100644
--- a/gst/qtdemux/qtdemux.c
+++ b/gst/qtdemux/qtdemux.c
@@ -687,9 +687,10 @@ static void gst_qtdemux_loop_header (GstElement *element)
 void gst_qtdemux_add_stream(GstQTDemux *qtdemux, QtDemuxStream *stream)
 {
   if(stream->subtype == GST_MAKE_FOURCC('v','i','d','e')){
+    gchar *name = g_strdup_printf ("video_%02d", qtdemux->n_video_streams);
     stream->pad = gst_pad_new_from_template (
-	gst_static_pad_template_get(&gst_qtdemux_videosrc_template),
-        g_strdup_printf ("video_%02d", qtdemux->n_video_streams));
+	gst_static_pad_template_get(&gst_qtdemux_videosrc_template), name);
+    g_free (name);
     stream->fps = 1. * GST_SECOND / stream->samples[0].duration;
     if(stream->caps){
       gst_caps_set_simple(stream->caps,
@@ -699,9 +700,10 @@ void gst_qtdemux_add_stream(GstQTDemux *qtdemux, QtDemuxStream *stream)
     }
     qtdemux->n_video_streams++;
   }else{
+    gchar *name = g_strdup_printf ("audio_%02d", qtdemux->n_audio_streams);
     stream->pad = gst_pad_new_from_template (
-	gst_static_pad_template_get(&gst_qtdemux_audiosrc_template),
-        g_strdup_printf ("audio_%02d", qtdemux->n_audio_streams));
+	gst_static_pad_template_get(&gst_qtdemux_audiosrc_template), name);
+    g_free (name);
     if(stream->caps){
       gst_caps_set_simple(stream->caps,
 	  "rate", G_TYPE_INT, (int)stream->rate,
@@ -1600,6 +1602,7 @@ done:
 
       for(j=first_chunk;j<last_chunk;j++){
         int chunk_offset;
+        if(j>=n_samples)goto done2;
         if(stco){
           chunk_offset = QTDEMUX_GUINT32_GET(stco->data + 16 + j*4);
         }else{
@@ -1620,7 +1623,6 @@ done:
 #endif
 	samples[j].sample_index = sample_index;
 	sample_index += samples_per_chunk;
-	if(j>=n_samples)goto done2;
       }
     }
 /*
-- 
cgit v1.2.1