[FFmpeg-cvslog] Fix uninitialized reads on malformed ogg files.
Dale Curtis
git at videolan.org
Mon Feb 11 12:41:05 CET 2013
ffmpeg | branch: release/0.5 | Dale Curtis <dalecurtis at chromium.org> | Wed Mar 7 14:26:58 2012 -0800| [c3761b661874174a63aded4933a62aa1246f9339] | committer: Reinhard Tartler
Fix uninitialized reads on malformed ogg files.
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
(cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c3761b661874174a63aded4933a62aa1246f9339
---
libavformat/oggdec.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 54406f5..cf1df84 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -66,8 +66,7 @@ ogg_save (AVFormatContext * s)
for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i;
- os->buf = av_malloc (os->bufsize);
- memset (os->buf, 0, os->bufsize);
+ os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (os->buf, ost->streams[i].buf, os->bufpos);
}
@@ -166,7 +165,7 @@ ogg_new_stream (AVFormatContext * s, uint32_t serial)
os = ogg->streams + idx;
os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE;
- os->buf = av_malloc(os->bufsize);
+ os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1;
st = av_new_stream (s, idx);
@@ -182,7 +181,7 @@ static int
ogg_new_buf(struct ogg *ogg, int idx)
{
struct ogg_stream *os = ogg->streams + idx;
- uint8_t *nb = av_malloc(os->bufsize);
+ uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart;
if(os->buf){
memcpy(nb, os->buf + os->pstart, size);
@@ -279,7 +278,7 @@ ogg_read_page (AVFormatContext * s, int *str)
}
if (os->bufsize - os->bufpos < size){
- uint8_t *nb = av_malloc (os->bufsize *= 2);
+ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (nb, os->buf, os->bufpos);
av_free (os->buf);
os->buf = nb;
@@ -293,6 +292,7 @@ ogg_read_page (AVFormatContext * s, int *str)
os->granule = gp;
os->flags = flags;
+ memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str)
*str = idx;
More information about the ffmpeg-cvslog
mailing list