diff options
| author | wm4 <nfxjfg@googlemail.com> | 2015-06-17 00:21:02 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-08-20 14:38:25 +0200 |
| commit | 9d0aa058c997db60de84d2e05b08dabead9cb6e0 (patch) | |
| tree | c61eafd8ce44b5e35e736c5b816aaeb114692799 | |
| parent | 5302adb32367c95b765c82122b1d922d0df93b52 (diff) | |
| download | ffmpeg-9d0aa058c997db60de84d2e05b08dabead9cb6e0.tar.gz | |
avio: fix potential crashes when combining ffio_ensure_seekback + crc
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/aviobuf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 30db4a66dc..74686d1d15 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -783,6 +783,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int filled = s->buf_end - s->buffer; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -800,6 +801,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } |