generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix uninitialized reads on malformed ogg files.

Browse Source 
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d779706)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Dale Curtis
2012-03-07 14:26:58 -08:00
committed by Reinhard Tartler
parent 2e1474fd99
commit c3761b6618
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libavformat/oggdec.c
View File

@@ -66,8 +66,7 @@ ogg_save (AVFormatContext * s)
for (i = 0; i < ogg->nstreams; i++){ for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i; struct ogg_stream *os = ogg->streams + i;
os->buf = av_malloc (os->bufsize); os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memset (os->buf, 0, os->bufsize);
memcpy (os->buf, ost->streams[i].buf, os->bufpos); memcpy (os->buf, ost->streams[i].buf, os->bufpos);
} }
@@ -166,7 +165,7 @@ ogg_new_stream (AVFormatContext * s, uint32_t serial)
os = ogg->streams + idx; os = ogg->streams + idx;
os->serial = serial; os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE; os->bufsize = DECODER_BUFFER_SIZE;
os->buf = av_malloc(os->bufsize); os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1; os->header = -1;
st = av_new_stream (s, idx); st = av_new_stream (s, idx);
@@ -182,7 +181,7 @@ static int
ogg_new_buf(struct ogg *ogg, int idx) ogg_new_buf(struct ogg *ogg, int idx)
{ {
struct ogg_stream *os = ogg->streams + idx; struct ogg_stream *os = ogg->streams + idx;
uint8_t *nb = av_malloc(os->bufsize); uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart; int size = os->bufpos - os->pstart;
if(os->buf){ if(os->buf){
memcpy(nb, os->buf + os->pstart, size); memcpy(nb, os->buf + os->pstart, size);
@@ -279,7 +278,7 @@ ogg_read_page (AVFormatContext * s, int *str)
} }
if (os->bufsize - os->bufpos < size){ if (os->bufsize - os->bufpos < size){
uint8_t *nb = av_malloc (os->bufsize *= 2); uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (nb, os->buf, os->bufpos); memcpy (nb, os->buf, os->bufpos);
av_free (os->buf); av_free (os->buf);
os->buf = nb; os->buf = nb;
@@ -293,6 +292,7 @@ ogg_read_page (AVFormatContext * s, int *str)
os->granule = gp; os->granule = gp;
os->flags = flags; os->flags = flags;
memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str) if (str)
*str = idx; *str = idx;