[FFmpeg-cvslog] Fix uninitialized reads on malformed ogg files.

Dale Curtis git at videolan.org
Mon Feb 11 12:41:05 CET 2013


ffmpeg | branch: release/0.5 | Dale Curtis <dalecurtis at chromium.org> | Wed Mar  7 14:26:58 2012 -0800| [c3761b661874174a63aded4933a62aa1246f9339] | committer: Reinhard Tartler

Fix uninitialized reads on malformed ogg files.

The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.

Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
(cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c3761b661874174a63aded4933a62aa1246f9339
---

 libavformat/oggdec.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 54406f5..cf1df84 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -66,8 +66,7 @@ ogg_save (AVFormatContext * s)
 
     for (i = 0; i < ogg->nstreams; i++){
         struct ogg_stream *os = ogg->streams + i;
-        os->buf = av_malloc (os->bufsize);
-        memset (os->buf, 0, os->bufsize);
+        os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
         memcpy (os->buf, ost->streams[i].buf, os->bufpos);
     }
 
@@ -166,7 +165,7 @@ ogg_new_stream (AVFormatContext * s, uint32_t serial)
     os = ogg->streams + idx;
     os->serial = serial;
     os->bufsize = DECODER_BUFFER_SIZE;
-    os->buf = av_malloc(os->bufsize);
+    os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
     os->header = -1;
 
     st = av_new_stream (s, idx);
@@ -182,7 +181,7 @@ static int
 ogg_new_buf(struct ogg *ogg, int idx)
 {
     struct ogg_stream *os = ogg->streams + idx;
-    uint8_t *nb = av_malloc(os->bufsize);
+    uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
     int size = os->bufpos - os->pstart;
     if(os->buf){
         memcpy(nb, os->buf + os->pstart, size);
@@ -279,7 +278,7 @@ ogg_read_page (AVFormatContext * s, int *str)
     }
 
     if (os->bufsize - os->bufpos < size){
-        uint8_t *nb = av_malloc (os->bufsize *= 2);
+        uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
         memcpy (nb, os->buf, os->bufpos);
         av_free (os->buf);
         os->buf = nb;
@@ -293,6 +292,7 @@ ogg_read_page (AVFormatContext * s, int *str)
     os->granule = gp;
     os->flags = flags;
 
+    memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
     if (str)
         *str = idx;
 



More information about the ffmpeg-cvslog mailing list