avformat/oggdec: Check buf before copying data in to it
Fixes null pointer dereference Fixes: aace024653cc62947336b86f8de812ab_signal_sigsegv_a0500f_343_WobblyWindowsIntro.ogg with memlimit 262144 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
5d346feafa
commit
32d023eb6d
@ -60,6 +60,7 @@ static const struct ogg_codec * const ogg_codecs[] = {
|
||||
|
||||
static int64_t ogg_calc_pts(AVFormatContext *s, int idx, int64_t *dts);
|
||||
static int ogg_new_stream(AVFormatContext *s, uint32_t serial);
|
||||
static int ogg_restore(AVFormatContext *s, int discard);
|
||||
|
||||
//FIXME We could avoid some structure duplication
|
||||
static int ogg_save(AVFormatContext *s)
|
||||
@ -68,6 +69,7 @@ static int ogg_save(AVFormatContext *s)
|
||||
struct ogg_state *ost =
|
||||
av_malloc(sizeof(*ost) + (ogg->nstreams - 1) * sizeof(*ogg->streams));
|
||||
int i;
|
||||
int ret = 0;
|
||||
|
||||
if (!ost)
|
||||
return AVERROR(ENOMEM);
|
||||
@ -81,14 +83,20 @@ static int ogg_save(AVFormatContext *s)
|
||||
for (i = 0; i < ogg->nstreams; i++) {
|
||||
struct ogg_stream *os = ogg->streams + i;
|
||||
os->buf = av_mallocz(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
|
||||
memcpy(os->buf, ost->streams[i].buf, os->bufpos);
|
||||
if (os->buf)
|
||||
memcpy(os->buf, ost->streams[i].buf, os->bufpos);
|
||||
else
|
||||
ret = AVERROR(ENOMEM);
|
||||
os->new_metadata = NULL;
|
||||
os->new_metadata_size = 0;
|
||||
}
|
||||
|
||||
ogg->state = ost;
|
||||
|
||||
return 0;
|
||||
if (ret < 0)
|
||||
ogg_restore(s, 0);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int ogg_restore(AVFormatContext *s, int discard)
|
||||
|
Loading…
Reference in New Issue
Block a user