--- xine-lib-1.1.0/src/demuxers/demux_avi.c.cve-2006-1502 2006-06-14 04:48:24.173424078 -0600 +++ xine-lib-1.1.0/src/demuxers/demux_avi.c 2006-06-14 04:53:37.314007396 -0600 @@ -1043,7 +1043,12 @@ static avi_t *AVI_init(demux_avi_t *this lprintf("Invalid Header, bIndexSubType != 0\n"); } - superindex->aIndex = malloc (superindex->wLongsPerEntry * superindex->nEntriesInUse * sizeof (uint32_t)); + if (superindex->nEntriesInUse > n / sizeof (avisuperindex_entry)) { + lprintf("broken index !, dwSize=%d, entries=%d\n", n, superindex->nEntriesInUse); + i += 8 + n; + continue; + } + superindex->aIndex = malloc (superindex->nEntriesInUse * sizeof (avisuperindex_entry)); /* position of ix## chunks */ for (j = 0; j < superindex->nEntriesInUse; ++j) { superindex->aIndex[j].qwOffset = LE_64 (a); a += 8;