[FFmpeg-trac] #1244(avformat:new): ogg: vorbis_header() leaks memory allocated for packets in private data.

FFmpeg trac at avcodec.org
Mon Apr 23 23:36:05 CEST 2012 

#1244: ogg: vorbis_header() leaks memory allocated for packets in private data.
------------------------------------+--------------------------------------
             Reporter:  dalecurtis  |                     Type:  defect
               Status:  new         |                 Priority:  normal
            Component:  avformat    |                  Version:  git-master
             Keywords:              |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+--------------------------------------
 Memory allocated here:
 http://git.videolan.org/?p=ffmpeg.git&a=blob&f=libavformat/oggparsevorbis.c&hb=HEAD#l225

 Whenever a corrupt ogg file is parsed, the ogg parser may abort before
 vorbis parsing completes and fixup_vorbis_headers() is called which
 normally free's the memory.

 It might be possible to create a malicious ogg file which triggers this
 allocation repeated or with a large os->psize, but at worst it'd be a
 memory DoS.

 Non-obvious on how to fix since the allocation happens in the private data
 section and the free happens after some assumed subsequent parsing.

 Valgrind:
 Leak_DefinitelyLost
 30 bytes in 1 blocks are definitely lost in loss record 999 of 2,937
   posix_memalign (m_replacemalloc/vg_replace_malloc.c:1093)
   av_malloc (/out/Debug/../../third_party/ffmpeg/libavutil/mem.c:94)
   av_mallocz (/out/Debug/../../third_party/ffmpeg/libavutil/mem.c:186)
   vorbis_header
 (/out/Debug/../../third_party/ffmpeg/libavformat/oggparsevorbis.c:225)
   ogg_packet
 (/out/Debug/../../third_party/ffmpeg/libavformat/oggdec.c:400)
   ogg_read_header
 (/out/Debug/../../third_party/ffmpeg/libavformat/oggdec.c:467)
   avformat_open_input
 (/out/Debug/../../third_party/ffmpeg/libavformat/utils.c:634)
   media::FFmpegDemuxer::InitializeTask(media::DemuxerHost*,
 base::Callback<void ()(media::PipelineStatus)> const&)
 (/out/Debug/../../media/filters/ffmpeg_demuxer.cc:490)

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1244>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list