diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-01-04 16:05:51 +0100 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2013-03-09 18:54:27 +0100 |
| commit | 8829c79039379e7fde64a837f3dbae088a4dbdbb (patch) | |
| tree | 430eb2513d5afa5095e48a8fcb2425eff77603b2 | |
| parent | 6a9f050c225e7c54cdbb6d4098458cff94d954c5 (diff) | |
| download | ffmpeg-8829c79039379e7fde64a837f3dbae088a4dbdbb.tar.gz | |
oggdec: make sure the private parse data is cleaned up
(cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646)
Related to CVE-2012-2882
Conflicts:
libavformat/oggdec.h
libavformat/oggparsevorbis.c
| -rw-r--r-- | libavformat/oggdec.c | 4 | ||||
| -rw-r--r-- | libavformat/oggdec.h | 5 | ||||
| -rw-r--r-- | libavformat/oggparsevorbis.c | 14 |
3 files changed, 22 insertions, 1 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 3079685652..2a1c0a5f6f 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -508,6 +508,10 @@ static int ogg_read_close(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++) { av_free(ogg->streams[i].buf); + if (ogg->streams[i].codec && + ogg->streams[i].codec->cleanup) { + ogg->streams[i].codec->cleanup(s, i); + } av_free(ogg->streams[i].private); } av_free(ogg->streams); diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index 184a628622..1a702c32d2 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -51,6 +51,11 @@ struct ogg_codec { * 0 if granule is the end time of the associated packet. */ int granule_is_start; + /** + * Number of expected headers + */ + int nb_header; + void (*cleanup)(AVFormatContext *s, int idx); }; struct ogg_stream { diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index ba9b348456..0c26684dd2 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -188,6 +188,16 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } +static int vorbis_cleanup(AVFormatContext *s, int idx) +{ + struct ogg *ogg = s->priv_data; + struct ogg_stream *os = ogg->streams + idx; + struct oggvorbis_private *priv = os->private; + int i; + if (os->private) + for (i = 0; i < 3; i++) + av_freep(&priv->packet[i]); +} static int vorbis_header (AVFormatContext * s, int idx) @@ -278,5 +288,7 @@ vorbis_header (AVFormatContext * s, int idx) const struct ogg_codec ff_vorbis_codec = { .magic = "\001vorbis", .magicsize = 7, - .header = vorbis_header + .header = vorbis_header, + .cleanup= vorbis_cleanup, + .nb_header = 3, }; |