[FFmpeg-devel] [PATCH] avio: fix potential crashes when combining ffio_ensure_seekback + crc

wm4 nfxjfg at googlemail.com
Wed Jun 17 00:21:02 CEST 2015


Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.

This effectively fixes potential crashes when opening mp3 files.
---
checksum_ptr is an abomination. Should probably be replaced by an
offset or so, except it's part of the ABI now.
---
 libavformat/aviobuf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index dfefe62..194bc22 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -820,6 +820,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
         return 0;
     av_assert0(!s->write_flag);
 
+    ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;
+
     buffer = av_malloc(buf_size);
     if (!buffer)
         return AVERROR(ENOMEM);
@@ -830,6 +832,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
     s->buf_end = buffer + (s->buf_end - s->buffer);
     s->buffer = buffer;
     s->buffer_size = buf_size;
+    if (checksum_ptr_offset >= 0)
+        s->checksum_ptr = s->buffer + checksum_ptr_offset;
     return 0;
 }
 
-- 
2.1.4



More information about the ffmpeg-devel mailing list