[FFmpeg-devel] [PATCH] avcodec/dvdsubdec: fix accessing dangling pointers
michaelni at gmx.at
Thu Jan 8 18:04:22 CET 2015
On Thu, Jan 08, 2015 at 05:19:17PM +0100, wm4 wrote:
> dvdsub_decode() can call append_to_cached_buf() 2 times, the second time
> with ctx->buf as argument. If the second append_to_cached_buf() reallocs
> ctx->buf, the argument will be a pointer to the previous, freed block.
> This can cause invalid reads at least with some fuzzed files - and
> possibly with valid files.
> Since packets can apparently not be larger than 64K (even if packets are
> combined), just use a fixed size buffer. It will be allocated as part of
> the DVDSubContext, and although some memory is "wasted", it's relatively
> minimal by modern standards and should be acceptable.
> libavcodec/dvdsubdec.c | 12 +++---------
> 1 file changed, 3 insertions(+), 9 deletions(-)
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 181 bytes
Desc: Digital signature
More information about the ffmpeg-devel