[FFmpeg-cvslog] avformat/oggdec: Check buf before copying data in to it

Michael Niedermayer git at videolan.org
Mon Jul 13 22:11:18 CEST 2015


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Jul 13 21:44:26 2015 +0200| [32d023eb6d0a80be551d8cfb207df61928db930b] | committer: Michael Niedermayer

avformat/oggdec: Check buf before copying data in to it

Fixes null pointer dereference
Fixes: aace024653cc62947336b86f8de812ab_signal_sigsegv_a0500f_343_WobblyWindowsIntro.ogg with memlimit 262144

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=32d023eb6d0a80be551d8cfb207df61928db930b
---

 libavformat/oggdec.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 72d96e8..0a9f337 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -60,6 +60,7 @@ static const struct ogg_codec * const ogg_codecs[] = {
 
 static int64_t ogg_calc_pts(AVFormatContext *s, int idx, int64_t *dts);
 static int ogg_new_stream(AVFormatContext *s, uint32_t serial);
+static int ogg_restore(AVFormatContext *s, int discard);
 
 //FIXME We could avoid some structure duplication
 static int ogg_save(AVFormatContext *s)
@@ -68,6 +69,7 @@ static int ogg_save(AVFormatContext *s)
     struct ogg_state *ost =
         av_malloc(sizeof(*ost) + (ogg->nstreams - 1) * sizeof(*ogg->streams));
     int i;
+    int ret = 0;
 
     if (!ost)
         return AVERROR(ENOMEM);
@@ -81,14 +83,20 @@ static int ogg_save(AVFormatContext *s)
     for (i = 0; i < ogg->nstreams; i++) {
         struct ogg_stream *os = ogg->streams + i;
         os->buf = av_mallocz(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
-        memcpy(os->buf, ost->streams[i].buf, os->bufpos);
+        if (os->buf)
+            memcpy(os->buf, ost->streams[i].buf, os->bufpos);
+        else
+            ret = AVERROR(ENOMEM);
         os->new_metadata      = NULL;
         os->new_metadata_size = 0;
     }
 
     ogg->state = ost;
 
-    return 0;
+    if (ret < 0)
+        ogg_restore(s, 0);
+
+    return ret;
 }
 
 static int ogg_restore(AVFormatContext *s, int discard)



More information about the ffmpeg-cvslog mailing list