generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avio: fix potential crashes when combining ffio_ensure_seekback + crc

Browse Source 
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.

This effectively fixes potential crashes when opening mp3 files.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc87758775)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
wm4
2015-06-17 00:21:02 +02:00
committed by Michael Niedermayer
parent 8a24ccfee3
commit 9473e5a05d
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/aviobuf.c
View File

@@ -812,6 +812,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
int max_buffer_size = s->max_packet_size ?
s->max_packet_size : IO_BUFFER_SIZE;
int filled = s->buf_end - s->buffer;
ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;
buf_size += s->buf_ptr - s->buffer + max_buffer_size;
@@ -829,6 +830,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
s->buf_end = buffer + (s->buf_end - s->buffer);
s->buffer = buffer;
s->buffer_size = buf_size;
if (checksum_ptr_offset >= 0)
s->checksum_ptr = s->buffer + checksum_ptr_offset;
return 0;
}