[FFmpeg-devel] [PATCH] Fix uninitialized reads on malformed ogg files.
Dale Curtis
dalecurtis at chromium.org
Wed Mar 7 23:28:06 CET 2012
My original patch missed two allocations, the new one gets them all.
Thanks in advance.
- dale
On Wed, Mar 7, 2012 at 2:26 PM, <dalecurtis at chromium.org> wrote:
> From: Dale Curtis <dalecurtis at chromium.org>
>
> The ogg decoder wasn't padding the input buffer with the appropriate
> FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
> various pieces of parsing code when they thought they had more data than
> they actually did.
>
> Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
> ---
> libavformat/oggdec.c | 10 +++++-----
> 1 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
> index 39f99e5..bdd2c5b 100644
> --- a/libavformat/oggdec.c
> +++ b/libavformat/oggdec.c
> @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s)
>
> for (i = 0; i < ogg->nstreams; i++){
> struct ogg_stream *os = ogg->streams + i;
> - os->buf = av_malloc (os->bufsize);
> - memset (os->buf, 0, os->bufsize);
> + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
> memcpy (os->buf, ost->streams[i].buf, os->bufpos);
> }
>
> @@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t
> serial, int new_avstream)
> os = ogg->streams + idx;
> os->serial = serial;
> os->bufsize = DECODER_BUFFER_SIZE;
> - os->buf = av_malloc(os->bufsize);
> + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
> os->header = -1;
>
> if (new_avstream) {
> @@ -185,7 +184,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t
> serial, int new_avstream)
> static int ogg_new_buf(struct ogg *ogg, int idx)
> {
> struct ogg_stream *os = ogg->streams + idx;
> - uint8_t *nb = av_malloc(os->bufsize);
> + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
> int size = os->bufpos - os->pstart;
> if(os->buf){
> memcpy(nb, os->buf + os->pstart, size);
> @@ -299,7 +298,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
> }
>
> if (os->bufsize - os->bufpos < size){
> - uint8_t *nb = av_malloc (os->bufsize *= 2);
> + uint8_t *nb = av_malloc ((os->bufsize *= 2) +
> FF_INPUT_BUFFER_PADDING_SIZE);
> memcpy (nb, os->buf, os->bufpos);
> av_free (os->buf);
> os->buf = nb;
> @@ -313,6 +312,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
> os->granule = gp;
> os->flags = flags;
>
> + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
> if (str)
> *str = idx;
>
> --
> 1.7.7.3
>
>
More information about the ffmpeg-devel
mailing list