oggdec: prevent heap corruption.

Specifically crafted samples can reinit ogg->streams[] while reading samples, and thus we should not cache old pointers since these may no longer be valid. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

oggdec: prevent heap corruption.
Specifically crafted samples can reinit ogg->streams[] while reading samples, and thus we should not cache old pointers since these may no longer be valid. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
4cc3467e · Chris Evans · Ronald S. Bultje · b047941d · 4cc3467e
Commit 4cc3467e authored Jun 29, 2011 by Chris Evans Committed by Ronald S. Bultje Jul 11, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

oggdec.c libavformat/oggdec.c +3 -2

No files found.
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -592,15 +592,15 @@ static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index,
                                  int64_t *pos_arg, int64_t pos_limit)
 {
    struct ogg *ogg = s->priv_data;
-    struct ogg_stream *os = ogg->streams + stream_index;
    AVIOContext *bc = s->pb;
    int64_t pts = AV_NOPTS_VALUE;
-    int i;
+    int i = -1;
    avio_seek(bc, *pos_arg, SEEK_SET);
    ogg_reset(ogg);
    while (avio_tell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) {
        if (i == stream_index) {
+            struct ogg_stream *os = ogg->streams + stream_index;
            pts = ogg_calc_pts(s, i, NULL);
            if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY))
                pts = AV_NOPTS_VALUE;
@@ -626,6 +626,7 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index,
        os->keyframe_seek = 1;
    ret = av_seek_frame_binary(s, stream_index, timestamp, flags);
+    os = ogg->streams + stream_index;
    if (ret < 0)
        os->keyframe_seek = 0;
    return ret;