Commit c3761b66 authored by Dale Curtis's avatar Dale Curtis Committed by Reinhard Tartler

Fix uninitialized reads on malformed ogg files.

The ogg decoder wasn't padding the input buffer with the appropriate
FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in
various pieces of parsing code when they thought they had more data than
they actually did.
Signed-off-by: 's avatarDale Curtis <dalecurtis@chromium.org>
Signed-off-by: 's avatarRonald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit ef0d7797)
Signed-off-by: 's avatarReinhard Tartler <siretart@tauware.de>
parent 2e1474fd
......@@ -66,8 +66,7 @@ ogg_save (AVFormatContext * s)
for (i = 0; i < ogg->nstreams; i++){
struct ogg_stream *os = ogg->streams + i;
os->buf = av_malloc (os->bufsize);
memset (os->buf, 0, os->bufsize);
os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (os->buf, ost->streams[i].buf, os->bufpos);
}
......@@ -166,7 +165,7 @@ ogg_new_stream (AVFormatContext * s, uint32_t serial)
os = ogg->streams + idx;
os->serial = serial;
os->bufsize = DECODER_BUFFER_SIZE;
os->buf = av_malloc(os->bufsize);
os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
os->header = -1;
st = av_new_stream (s, idx);
......@@ -182,7 +181,7 @@ static int
ogg_new_buf(struct ogg *ogg, int idx)
{
struct ogg_stream *os = ogg->streams + idx;
uint8_t *nb = av_malloc(os->bufsize);
uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
int size = os->bufpos - os->pstart;
if(os->buf){
memcpy(nb, os->buf + os->pstart, size);
......@@ -279,7 +278,7 @@ ogg_read_page (AVFormatContext * s, int *str)
}
if (os->bufsize - os->bufpos < size){
uint8_t *nb = av_malloc (os->bufsize *= 2);
uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
memcpy (nb, os->buf, os->bufpos);
av_free (os->buf);
os->buf = nb;
......@@ -293,6 +292,7 @@ ogg_read_page (AVFormatContext * s, int *str)
os->granule = gp;
os->flags = flags;
memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
if (str)
*str = idx;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment