aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/matroskadec.c
diff options
context:
space:
mode:
authorMichael Schenk <michael.schenk@albis-elcon.com>2016-11-25 09:36:20 +0100
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2016-11-30 01:15:38 +0100
commit18b94669372d3d4b6c51e347587ea64acef9dbb8 (patch)
tree15a9c2d1ef0bfdf6fda051e05a49e8e8879581ca /libavformat/matroskadec.c
parent2475858889cde6221677473b663df6f985add33d (diff)
downloadffmpeg-18b94669372d3d4b6c51e347587ea64acef9dbb8.tar.gz
matroskadec: prevent access of elements after freeing
Using the decode interrupt feature of ffmpeg may cause crashes by accessing previously freed pointers in matroska_read_close. To prevent this reset nb_elem to zero after freeing the elements, because ffmpeg normally tests for nb_elem. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Diffstat (limited to 'libavformat/matroskadec.c')
-rw-r--r--libavformat/matroskadec.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index f79511e4f1..d96e861c48 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1237,6 +1237,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data)
j++, ptr += syntax[i].list_elem_size)
ebml_free(syntax[i].def.n, ptr);
av_freep(&list->elem);
+ list->nb_elem = 0;
} else
ebml_free(syntax[i].def.n, data_off);
default: