avio: fix potential crashes when combining ffio_ensure_seekback + crc
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
e29d996149
commit
dc87758775
@ -813,6 +813,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
|
||||
int max_buffer_size = s->max_packet_size ?
|
||||
s->max_packet_size : IO_BUFFER_SIZE;
|
||||
int filled = s->buf_end - s->buffer;
|
||||
ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;
|
||||
|
||||
buf_size += s->buf_ptr - s->buffer + max_buffer_size;
|
||||
|
||||
@ -830,6 +831,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
|
||||
s->buf_end = buffer + (s->buf_end - s->buffer);
|
||||
s->buffer = buffer;
|
||||
s->buffer_size = buf_size;
|
||||
if (checksum_ptr_offset >= 0)
|
||||
s->checksum_ptr = s->buffer + checksum_ptr_offset;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user