# HG changeset patch
# User Petri Hintukainen <phintuka@users.sourceforge.net>
# Date 1257260200 -7200
# Node ID 61fcc6e682a4db817461e3c825589a2c41ec71dd
# Parent  898baed1012ada88a6b8522f1f3d95f04815f556
Fixed buffer overflow:
input->read(input, this->scratch, this->blocksize) overflows if input plugin block size is larger than 4096.

diff -r 898baed1012a -r 61fcc6e682a4 src/demuxers/demux_mpeg_block.c
--- a/src/demuxers/demux_mpeg_block.c	Sun Oct 25 14:08:00 2009 +0000
+++ b/src/demuxers/demux_mpeg_block.c	Tue Nov 03 16:56:40 2009 +0200
@@ -43,6 +43,7 @@
 
 #define NUM_PREVIEW_BUFFERS   250
 #define DISC_TRESHOLD       90000
+#define MAX_BLOCK_SIZE       4096
 
 #define WRAP_THRESHOLD     120000 
 #define PTS_AUDIO 0
@@ -1385,7 +1386,7 @@
   this->demux_plugin.get_optional_data = demux_mpeg_block_get_optional_data;
   this->demux_plugin.demux_class       = class_gen;
 
-  this->scratch    = xine_xmalloc_aligned (512, 4096, &this->scratch_base);
+  this->scratch    = xine_xmalloc_aligned (512, MAX_BLOCK_SIZE, &this->scratch_base);
   this->status     = DEMUX_FINISHED;
 
   lprintf ("open_plugin:detection_method=%d\n",
@@ -1410,7 +1411,7 @@
       if (!this->blocksize)
         this->blocksize = demux_mpeg_detect_blocksize( this, input );
 
-      if (!this->blocksize) {
+      if (!this->blocksize || this->blocksize > MAX_BLOCK_SIZE) {
         free (this->scratch_base);
         free (this);
         return NULL;