generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix uninitialized reads on malformed ogg files.

Browse Source 
The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This commit is contained in:
Dale Curtis 2012-03-07 14:26:58 -08:00 committed by Ronald S. Bultje
parent 4ffe5e2aa5
commit ef0d779706
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavformat/oggdec.c
View File

@ -70,8 +70,7 @@ static int ogg_save(AVFormatContext *s)
for (i = 0; i < ogg->nstreams; i++){ for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i; struct ogg_stream *os = ogg->streams + i;
os->buf = av_malloc (os->bufsize); os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memset (os->buf, 0, os->bufsize);
memcpy (os->buf, ost->streams[i].buf, os->bufpos); memcpy (os->buf, ost->streams[i].buf, os->bufpos);
} }
@ -168,7 +167,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
os = ogg->streams + idx; os = ogg->streams + idx;
os->serial = serial; os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE; os->bufsize = DECODER_BUFFER_SIZE;
os->buf = av_malloc(os->bufsize); os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1; os->header = -1;
if (new_avstream) { if (new_avstream) {
@ -186,7 +185,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
static int ogg_new_buf(struct ogg *ogg, int idx) static int ogg_new_buf(struct ogg *ogg, int idx)
{ {
struct ogg_stream *os = ogg->streams + idx; struct ogg_stream *os = ogg->streams + idx;
uint8_t *nb = av_malloc(os->bufsize); uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart; int size = os->bufpos - os->pstart;
if(os->buf){ if(os->buf){
memcpy(nb, os->buf + os->pstart, size); memcpy(nb, os->buf + os->pstart, size);
@ -297,7 +296,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
} }
if (os->bufsize - os->bufpos < size){ if (os->bufsize - os->bufpos < size){
uint8_t *nb = av_malloc (os->bufsize *= 2); uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (nb, os->buf, os->bufpos); memcpy (nb, os->buf, os->bufpos);
av_free (os->buf); av_free (os->buf);
os->buf = nb; os->buf = nb;
@ -311,6 +310,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
os->granule = gp; os->granule = gp;
os->flags = flags; os->flags = flags;
memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str) if (str)
*str = idx; *str = idx;