avoid crashing when trying to parse invalid files, patch by Andreas Oman, andreas...

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@6752 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

diff --git a/libavformat/tiertexseq.c b/libavformat/tiertexseq.c
index 4bd1cda06dc35332a533f59d81693062c3555489..b1a39bf760972cfea7dbcca9f36ea12169a1d630 100644 (file)
--- a/libavformat/tiertexseq.c
+++ b/libavformat/tiertexseq.c
@@ -122,7 +122,7 @@ static int seq_parse_frame_data(SeqDemuxContext *seq, ByteIOContext *pb)
 {
     unsigned int offset_table[4], buffer_num[4];
     TiertexSeqFrameBuffer *seq_buffer;
-    int i, e;
+    int i, e, err;
 
     seq->current_frame_offs += SEQ_FRAME_SIZE;
     url_fseek(pb, seq->current_frame_offs, SEEK_SET);
@@ -153,13 +153,18 @@ static int seq_parse_frame_data(SeqDemuxContext *seq, ByteIOContext *pb)
     for (i = 0; i < 3; i++) {
         if (offset_table[i] != 0) {
             for (e = i + 1; e < 4 && offset_table[e] == 0; e++);
-            seq_fill_buffer(seq, pb, buffer_num[1 + i],
+            err = seq_fill_buffer(seq, pb, buffer_num[1 + i],
               offset_table[i],
               offset_table[e] - offset_table[i]);
+            if (err != 0)
+                return err;
         }
     }
 
     if (buffer_num[0] != 255) {
+        if (buffer_num[0] >= SEQ_NUM_FRAME_BUFFERS)
+            return AVERROR_INVALIDDATA;
+
         seq_buffer = &seq->frame_buffers[buffer_num[0]];
         seq->current_video_data_size = seq_buffer->fill_size;
         seq->current_video_data_ptr  = seq_buffer->data;