[FFmpeg-cvslog] oggdec: prevent heap corruption.
Chris Evans
git at videolan.org
Sun Nov 6 02:00:01 CET 2011
ffmpeg | branch: release/0.6 | Chris Evans <cevans at chromium.org> | Thu Aug 4 22:00:29 2011 +0200| [88ea7ca6279720de9c8db0a4c9a2928e6c7f6061] | committer: Reinhard Tartler
oggdec: prevent heap corruption.
Specifically crafted samples can reinit ogg->streams[] while
reading samples, and thus we should not cache old pointers since
these may no longer be valid.
Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
(cherry-picked from commit 4cc3467e7abfea7e8d03b6af511f7719038a5a98)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=88ea7ca6279720de9c8db0a4c9a2928e6c7f6061
---
libavformat/oggdec.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 3161e68..76b28ab 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -577,20 +577,19 @@ ogg_read_close (AVFormatContext * s)
}
-static int64_t
-ogg_read_timestamp (AVFormatContext * s, int stream_index, int64_t * pos_arg,
- int64_t pos_limit)
+static int64_t ogg_read_timestamp (AVFormatContext * s, int stream_index,
+ int64_t * pos_arg, int64_t pos_limit)
{
struct ogg *ogg = s->priv_data;
- struct ogg_stream *os = ogg->streams + stream_index;
ByteIOContext *bc = s->pb;
int64_t pts = AV_NOPTS_VALUE;
- int i;
+ int i = -1;
url_fseek(bc, *pos_arg, SEEK_SET);
ogg_reset(ogg);
while (url_ftell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) {
if (i == stream_index) {
+ struct ogg_stream *os = ogg->streams + stream_index;
pts = ogg_calc_pts(s, i, NULL);
if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY))
pts = AV_NOPTS_VALUE;
@@ -615,6 +614,7 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
os->keyframe_seek = 1;
ret = av_seek_frame_binary(s, stream_index, timestamp, flags);
+ os = ogg->streams + stream_index;
if (ret < 0)
os->keyframe_seek = 0;
return ret;
More information about the ffmpeg-cvslog
mailing list