[FFmpeg-devel] [PATCH] ogg: Fix OOB write during ogg_read_seek()
dalecurtis at chromium.org
dalecurtis at chromium.org
Mon Apr 16 22:57:21 CEST 2012
From: Dale Curtis <dalecurtis at chromium.org>
Prevents an OOB write of size 4 when ogg_read_seek is called with
a stream_index >= ogg->nstreams.
In this case s->nb_streams == 3, yet ogg->nstreams == 1 and
stream_index == 1; causing os->keyframe_seek = 1 to write OOB.
Test case available on request.
Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
---
libavformat/oggdec.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index bdd2c5b..72dbb47 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -687,6 +687,9 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index,
struct ogg_stream *os = ogg->streams + stream_index;
int ret;
+ if (stream_index >= ogg->nstreams)
+ return AVERROR_STREAM_NOT_FOUND;
+
// Ensure everything is reset even when seeking via
// the generated index.
ogg_reset(ogg);
--
1.7.7.3
More information about the ffmpeg-devel
mailing list