Description: fix denial of service and possible code execution via malformed OGG
Origin: upstream, http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd63c32ff6f6a24dc971a0bb2ca8f8a4f57e79da
Bug: http://code.google.com/p/chromium/issues/detail?id=71788

diff -Nur ffmpeg-0.6/libavformat/oggdec.c ffmpeg-0.6.new/libavformat/oggdec.c
--- ffmpeg-0.6/libavformat/oggdec.c	2010-05-23 22:09:36.000000000 -0400
+++ ffmpeg-0.6.new/libavformat/oggdec.c	2011-09-16 09:31:56.456351992 -0400
@@ -582,15 +582,15 @@
                     int64_t pos_limit)
 {
     struct ogg *ogg = s->priv_data;
-    struct ogg_stream *os = ogg->streams + stream_index;
     ByteIOContext *bc = s->pb;
     int64_t pts = AV_NOPTS_VALUE;
-    int i;
+    int i = -1;
     url_fseek(bc, *pos_arg, SEEK_SET);
     ogg_reset(ogg);
 
     while (url_ftell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) {
         if (i == stream_index) {
+            struct ogg_stream *os = ogg->streams + stream_index;
             pts = ogg_calc_pts(s, i, NULL);
             if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY))
                 pts = AV_NOPTS_VALUE;
@@ -615,6 +615,7 @@
         os->keyframe_seek = 1;
 
     ret = av_seek_frame_binary(s, stream_index, timestamp, flags);
+    os = ogg->streams + stream_index;
     if (ret < 0)
         os->keyframe_seek = 0;
     return ret;