Commit 32d023eb authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/oggdec: Check buf before copying data in to it

Fixes null pointer dereference
Fixes: aace024653cc62947336b86f8de812ab_signal_sigsegv_a0500f_343_WobblyWindowsIntro.ogg with memlimit 262144

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 5d346fea
...@@ -60,6 +60,7 @@ static const struct ogg_codec * const ogg_codecs[] = { ...@@ -60,6 +60,7 @@ static const struct ogg_codec * const ogg_codecs[] = {
static int64_t ogg_calc_pts(AVFormatContext *s, int idx, int64_t *dts); static int64_t ogg_calc_pts(AVFormatContext *s, int idx, int64_t *dts);
static int ogg_new_stream(AVFormatContext *s, uint32_t serial); static int ogg_new_stream(AVFormatContext *s, uint32_t serial);
static int ogg_restore(AVFormatContext *s, int discard);
//FIXME We could avoid some structure duplication //FIXME We could avoid some structure duplication
static int ogg_save(AVFormatContext *s) static int ogg_save(AVFormatContext *s)
...@@ -68,6 +69,7 @@ static int ogg_save(AVFormatContext *s) ...@@ -68,6 +69,7 @@ static int ogg_save(AVFormatContext *s)
struct ogg_state *ost = struct ogg_state *ost =
av_malloc(sizeof(*ost) + (ogg->nstreams - 1) * sizeof(*ogg->streams)); av_malloc(sizeof(*ost) + (ogg->nstreams - 1) * sizeof(*ogg->streams));
int i; int i;
int ret = 0;
if (!ost) if (!ost)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
...@@ -81,14 +83,20 @@ static int ogg_save(AVFormatContext *s) ...@@ -81,14 +83,20 @@ static int ogg_save(AVFormatContext *s)
for (i = 0; i < ogg->nstreams; i++) { for (i = 0; i < ogg->nstreams; i++) {
struct ogg_stream *os = ogg->streams + i; struct ogg_stream *os = ogg->streams + i;
os->buf = av_mallocz(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->buf = av_mallocz(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
if (os->buf)
memcpy(os->buf, ost->streams[i].buf, os->bufpos); memcpy(os->buf, ost->streams[i].buf, os->bufpos);
else
ret = AVERROR(ENOMEM);
os->new_metadata = NULL; os->new_metadata = NULL;
os->new_metadata_size = 0; os->new_metadata_size = 0;
} }
ogg->state = ost; ogg->state = ost;
return 0; if (ret < 0)
ogg_restore(s, 0);
return ret;
} }
static int ogg_restore(AVFormatContext *s, int discard) static int ogg_restore(AVFormatContext *s, int discard)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment