diff options
author | Michael Schenk <michael.schenk@albis-elcon.com> | 2016-11-25 09:36:20 +0100 |
---|---|---|
committer | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-30 01:15:38 +0100 |
commit | 18b94669372d3d4b6c51e347587ea64acef9dbb8 (patch) | |
tree | 15a9c2d1ef0bfdf6fda051e05a49e8e8879581ca /libavformat/matroskadec.c | |
parent | 2475858889cde6221677473b663df6f985add33d (diff) | |
download | ffmpeg-18b94669372d3d4b6c51e347587ea64acef9dbb8.tar.gz |
matroskadec: prevent access of elements after freeing
Using the decode interrupt feature of ffmpeg may cause crashes by
accessing previously freed pointers in matroska_read_close.
To prevent this reset nb_elem to zero after freeing the elements,
because ffmpeg normally tests for nb_elem.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Diffstat (limited to 'libavformat/matroskadec.c')
-rw-r--r-- | libavformat/matroskadec.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f79511e4f1..d96e861c48 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1237,6 +1237,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) j++, ptr += syntax[i].list_elem_size) ebml_free(syntax[i].def.n, ptr); av_freep(&list->elem); + list->nb_elem = 0; } else ebml_free(syntax[i].def.n, data_off); default: |