[FFmpeg-cvslog] shorten: Use separate pointers for the allocated memory for decoded samples .

Michael Niedermayer git at videolan.org
Mon Feb 11 12:41:06 CET 2013


ffmpeg | branch: release/0.5 | Michael Niedermayer <michaelni at gmx.at> | Sun Dec 25 12:28:50 2011 +0100| [9def5c466648d970f8d3e03d4b3947a6852d9c61] | committer: Reinhard Tartler

shorten: Use separate pointers for the allocated memory for decoded samples.

Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.

Fixes CVE-2012-0858
CC: libav-stable at libav.org

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles at gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9def5c466648d970f8d3e03d4b3947a6852d9c61
---

 libavcodec/shorten.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 9d66d76..09290fc 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -82,6 +82,7 @@ typedef struct ShortenContext {
     int channels;
 
     int32_t *decoded[MAX_CHANNELS];
+    int32_t *decoded_base[MAX_CHANNELS];
     int32_t *offset[MAX_CHANNELS];
     uint8_t *bitstream;
     int bitstream_size;
@@ -129,13 +130,14 @@ static int allocate_buffers(ShortenContext *s)
             return AVERROR(ENOMEM);
         s->offset[chan] = tmp_ptr;
 
-        tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
+        tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
+                             sizeof(s->decoded_base[0][0]));
         if (!tmp_ptr)
             return AVERROR(ENOMEM);
-        s->decoded[chan] = tmp_ptr;
+        s->decoded_base[chan] = tmp_ptr;
         for (i=0; i<s->nwrap; i++)
-            s->decoded[chan][i] = 0;
-        s->decoded[chan] += s->nwrap;
+            s->decoded_base[chan][i] = 0;
+        s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
     }
     return 0;
 }
@@ -523,8 +525,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx)
     int i;
 
     for (i = 0; i < s->channels; i++) {
-        s->decoded[i] -= s->nwrap;
-        av_freep(&s->decoded[i]);
+        s->decoded[i] = NULL;
+        av_freep(&s->decoded_base[i]);
         av_freep(&s->offset[i]);
     }
     av_freep(&s->bitstream);



More information about the ffmpeg-cvslog mailing list