From 4434e2ececd450c30fa50a0365a6b1f547a9dd54 Mon Sep 17 00:00:00 2001
From: Chris Double <chris.double@double.co.nz>
Date: Mon, 10 Nov 2008 14:36:42 +1300
Subject: [PATCH] Bug 449307 - Fix memory corruption issue in liboggplay when
 querying duration - rs=roc

---
 media/liboggplay/README_MOZILLA               |  2 +-
 media/liboggplay/src/liboggplay/oggplay.c     |  7 ++++--
 .../src/liboggplay/oggplay_private.h          |  3 +++
 .../liboggplay/src/liboggplay/oggplay_seek.c  | 24 ++++++++++++-------
 4 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/media/liboggplay/README_MOZILLA b/media/liboggplay/README_MOZILLA
index 5e18b99fd84..0a765ef6643 100644
--- a/media/liboggplay/README_MOZILLA
+++ b/media/liboggplay/README_MOZILLA
@@ -5,7 +5,7 @@ the Mozilla build system.
 
 http://svn.annodex.net/liboggplay/trunk/
 
-The svn revision number used was r3761.
+The svn revision number used was r3774.
 
 The patch from Annodex trac ticket 421 is applied to fix bug 459938:
   http://trac.annodex.net/ticket/421
diff --git a/media/liboggplay/src/liboggplay/oggplay.c b/media/liboggplay/src/liboggplay/oggplay.c
index bea8a2da428..9a1c8b86d5c 100644
--- a/media/liboggplay/src/liboggplay/oggplay.c
+++ b/media/liboggplay/src/liboggplay/oggplay.c
@@ -644,9 +644,12 @@ oggplay_get_duration(OggPlay *me) {
   if (me->reader->duration) 
     return me->reader->duration(me->reader);
   else {
-    ogg_int64_t pos = oggz_tell_units(me->oggz);
-    ogg_int64_t duration = oggz_seek_units(me->oggz, 0, SEEK_END);
+    ogg_int64_t pos;
+    ogg_int64_t duration;
+    pos = oggz_tell_units(me->oggz);
+    duration = oggz_seek_units(me->oggz, 0, SEEK_END);
     oggz_seek_units(me->oggz, pos, SEEK_SET);
+    oggplay_seek_cleanup(me, pos);
     return duration;
   }
 }
diff --git a/media/liboggplay/src/liboggplay/oggplay_private.h b/media/liboggplay/src/liboggplay/oggplay_private.h
index de87cb1e330..53cdeab00e0 100644
--- a/media/liboggplay/src/liboggplay/oggplay_private.h
+++ b/media/liboggplay/src/liboggplay/oggplay_private.h
@@ -229,6 +229,9 @@ oggplay_set_data_callback_force(OggPlay *me, OggPlayDataCallback callback,
 void
 oggplay_take_out_trash(OggPlay *me, OggPlaySeekTrash *trash);
 
+void
+oggplay_seek_cleanup(OggPlay *me, ogg_int64_t milliseconds);
+
 typedef struct {
   void (*init)(void *user_data);
   int (*callback)(OGGZ * oggz, ogg_packet * op, long serialno,
diff --git a/media/liboggplay/src/liboggplay/oggplay_seek.c b/media/liboggplay/src/liboggplay/oggplay_seek.c
index a9ceff1e957..415ce0fe24d 100644
--- a/media/liboggplay/src/liboggplay/oggplay_seek.c
+++ b/media/liboggplay/src/liboggplay/oggplay_seek.c
@@ -41,11 +41,7 @@
 OggPlayErrorCode
 oggplay_seek(OggPlay *me, ogg_int64_t milliseconds) {
 
-  OggPlaySeekTrash    * trash;
-  OggPlaySeekTrash   ** p;
-  OggPlayDataHeader  ** end_of_list_p;
-  int                   i;
-  int                   eof;
+  ogg_int64_t           eof;
 
   if (me == NULL) {
     return E_OGGPLAY_BAD_OGGPLAY;
@@ -76,6 +72,21 @@ oggplay_seek(OggPlay *me, ogg_int64_t milliseconds) {
     }
   }
 
+  oggplay_seek_cleanup(me, milliseconds);
+
+  return E_OGGPLAY_OK;
+
+}
+
+void
+oggplay_seek_cleanup(OggPlay* me, ogg_int64_t milliseconds)
+{
+
+  OggPlaySeekTrash    * trash;
+  OggPlaySeekTrash   ** p;
+  OggPlayDataHeader  ** end_of_list_p;
+  int                   i;
+
   /*
    * first, create a trash object to store the context that we want to
    * delete but can't until the presentation thread is no longer using it -
@@ -129,9 +140,6 @@ oggplay_seek(OggPlay *me, ogg_int64_t milliseconds) {
   }
 
   *p = trash;
-
-  return E_OGGPLAY_OK;
-
 }
 
 void