aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Evans <cevans@chromium.org>2011-06-29 15:44:40 -0700
committerRonald S. Bultje <rsbultje@gmail.com>2011-07-11 16:37:11 -0700
commit4cc3467e7abfea7e8d03b6af511f7719038a5a98 (patch)
treebe47610fc6a7dab1a33f01257eac9cfb65405ada
parentb047941d7da470ba0dcedb1fd0aa828075265ffc (diff)
downloadffmpeg-4cc3467e7abfea7e8d03b6af511f7719038a5a98.tar.gz
oggdec: prevent heap corruption.
Specifically crafted samples can reinit ogg->streams[] while reading samples, and thus we should not cache old pointers since these may no longer be valid. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
-rw-r--r--libavformat/oggdec.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index e33de7d978..3d03a5f974 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -592,15 +592,15 @@ static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index,
int64_t *pos_arg, int64_t pos_limit)
{
struct ogg *ogg = s->priv_data;
- struct ogg_stream *os = ogg->streams + stream_index;
AVIOContext *bc = s->pb;
int64_t pts = AV_NOPTS_VALUE;
- int i;
+ int i = -1;
avio_seek(bc, *pos_arg, SEEK_SET);
ogg_reset(ogg);
while (avio_tell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) {
if (i == stream_index) {
+ struct ogg_stream *os = ogg->streams + stream_index;
pts = ogg_calc_pts(s, i, NULL);
if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY))
pts = AV_NOPTS_VALUE;
@@ -626,6 +626,7 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index,
os->keyframe_seek = 1;
ret = av_seek_frame_binary(s, stream_index, timestamp, flags);
+ os = ogg->streams + stream_index;
if (ret < 0)
os->keyframe_seek = 0;
return ret;