[libav-commits] matroska: don't overwrite string values until read/alloc was succesful.

Ronald S. Bultje git at libav.org
Sun Apr 1 19:04:57 CEST 2012

Module: libav
Branch: release/0.7
Commit: 6c12293f6c3c91d5fbbb1146ad0f77b887abed48

Author:    Ronald S. Bultje <rsbultje at gmail.com>
Committer: Reinhard Tartler <siretart at tauware.de>
Date:      Fri Feb 24 16:12:18 2012 -0800

matroska: don't overwrite string values until read/alloc was succesful.

This prevents certain tags with a default value assigned to them (as per
the EBML syntax elements) from ever being assigned a NULL value. Other
parts of the code rely on these being non-NULL (i.e. they don't check for
NULL before e.g. using the string in strcmp() or similar), and thus in
effect this prevents crashes when reading of such specific tags fails,
either because of low memory or because of targeted file corruption.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98)

Signed-off-by: Anton Khirnov <anton at khirnov.net>
Signed-off-by: Reinhard Tartler <siretart at tauware.de>


 libavformat/matroskadec.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 5c814f4..f74d028 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -636,16 +636,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num)
 static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
-    av_free(*str);
+    char *res;
     /* EBML strings are usually not 0-terminated, so we allocate one
      * byte more, read the string and NULL-terminate it ourselves. */
-    if (!(*str = av_malloc(size + 1)))
+    if (!(res = av_malloc(size + 1)))
         return AVERROR(ENOMEM);
-    if (avio_read(pb, (uint8_t *) *str, size) != size) {
-        av_freep(str);
+    if (avio_read(pb, (uint8_t *) res, size) != size) {
+        av_free(res);
         return AVERROR(EIO);
-    (*str)[size] = '\0';
+    (res)[size] = '\0';
+    av_free(*str);
+    *str = res;
     return 0;

More information about the libav-commits mailing list