diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-25 12:28:50 +0100 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2013-02-10 18:01:15 +0100 |
commit | 9def5c466648d970f8d3e03d4b3947a6852d9c61 (patch) | |
tree | 421170c92607bb5260d6a8094f2918d904b0aba2 /libavcodec | |
parent | 7aeb281aa5078726eef5f7db0e7b513932454dc0 (diff) | |
download | ffmpeg-9def5c466648d970f8d3e03d4b3947a6852d9c61.tar.gz |
shorten: Use separate pointers for the allocated memory for decoded samples.
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/shorten.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 9d66d76b4f..09290fc1ed 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -82,6 +82,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; uint8_t *bitstream; int bitstream_size; @@ -129,13 +130,14 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) * + sizeof(s->decoded_base[0][0])); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; i<s->nwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } return 0; } @@ -523,8 +525,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream); |