matroskadec: pad EBML_BIN data.

It might be passed to code requiring padding, such as lzo decompression. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 30be1ea33e5525266ad871bed60b1893a53caeaf) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Anton Khirnov <anton@khirnov.net> 2013-11-15 10:15:24 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2014-01-05 17:13:19 -0500
commit: cbf51c4d36af139b6ce2c3f1c96955ca87468e2a (patch)
tree: 541e853a3867110c78011255866ae061465f2a41
parent: 26221a54eca391de29557fc08c32d23a40ef4d32 (diff)
download: ffmpeg-cbf51c4d36af139b6ce2c3f1c96955ca87468e2a.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e42118c10f..730285afdc 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -704,9 +704,11 @@ static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
 static int ebml_read_binary(AVIOContext *pb, int length, EbmlBin *bin)
 {
     av_free(bin->data);
-    if (!(bin->data = av_malloc(length)))
+    if (!(bin->data = av_malloc(length + FF_INPUT_BUFFER_PADDING_SIZE)))
         return AVERROR(ENOMEM);
 
+    memset(bin->data + length, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+
     bin->size = length;
     bin->pos  = avio_tell(pb);
     if (avio_read(pb, bin->data, length) != length) {
author	Anton Khirnov <anton@khirnov.net>	2013-11-15 10:15:24 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2014-01-05 17:13:19 -0500
commit	cbf51c4d36af139b6ce2c3f1c96955ca87468e2a (patch)
tree	541e853a3867110c78011255866ae061465f2a41
parent	26221a54eca391de29557fc08c32d23a40ef4d32 (diff)
download	ffmpeg-cbf51c4d36af139b6ce2c3f1c96955ca87468e2a.tar.gz