[libav-devel] [PATCH] oggdec: prevent heap corruption.
Ronald S. Bultje
rsbultje at gmail.com
Sat Jul 2 18:00:01 CEST 2011
From: Chris Evans <cevans at chromium.org>
Specifically crafted samples can reinit ogg->streams[] while
reading samples, and thus we should not cache old pointers since
these may no longer be valid.
Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
---
libavformat/oggdec.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 998a33b..e85afaf 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -311,6 +311,7 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize,
int complete = 0;
int segp = 0, psize = 0;
+ *str = -1;
av_dlog(s, "ogg_packet: curidx=%i\n", ogg->curidx);
do{
@@ -586,7 +587,6 @@ static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index,
int64_t *pos_arg, int64_t pos_limit)
{
struct ogg *ogg = s->priv_data;
- struct ogg_stream *os = ogg->streams + stream_index;
AVIOContext *bc = s->pb;
int64_t pts = AV_NOPTS_VALUE;
int i;
@@ -595,6 +595,7 @@ static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index,
while (avio_tell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) {
if (i == stream_index) {
+ struct ogg_stream *os = ogg->streams + stream_index;
pts = ogg_calc_pts(s, i, NULL);
if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY))
pts = AV_NOPTS_VALUE;
@@ -620,6 +621,7 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index,
os->keyframe_seek = 1;
ret = av_seek_frame_binary(s, stream_index, timestamp, flags);
+ os = ogg->streams + stream_index;
if (ret < 0)
os->keyframe_seek = 0;
return ret;
--
1.7.2.1
More information about the libav-devel
mailing list