diff options
| author | wm4 <nfxjfg@googlemail.com> | 2015-06-17 00:21:02 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-07-20 04:43:40 +0200 |
| commit | c049e979b60542c53894e812d5921a455b7c16a3 (patch) | |
| tree | fbfd47ebde517673132666403a2c08567f41dcfb | |
| parent | 7b1c5fa5e5790eb4649287f53f8ade496f596661 (diff) | |
| download | ffmpeg-c049e979b60542c53894e812d5921a455b7c16a3.tar.gz | |
avio: fix potential crashes when combining ffio_ensure_seekback + crc
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/aviobuf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 537c11f6b4..db066f8707 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -800,6 +800,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int filled = s->buf_end - s->buffer; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -817,6 +818,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } |