diff options
| author | Dale Curtis <dalecurtis@chromium.org> | 2012-03-07 14:26:58 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2013-01-12 19:34:40 +0100 |
| commit | 55065315caf138223b1f2f4e168fc64f601d1352 (patch) | |
| tree | b1cb6c8807982a838b8d5d86d84d57a550dc74ff | |
| parent | 808187965570012cca99a7c0fdf1d93652947285 (diff) | |
| download | ffmpeg-55065315caf138223b1f2f4e168fc64f601d1352.tar.gz | |
Fix uninitialized reads on malformed ogg files.
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavformat/oggdec.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 18201677b8..8c94f4e618 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -184,7 +183,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -293,7 +292,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -306,6 +305,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; |