[FFmpeg-cvslog] avio: fix potential crashes when combining	ffio_ensure_seekback + crc
    wm4 
    git at videolan.org
       
    Thu Aug 20 14:53:41 CEST 2015
    
    
  
ffmpeg | branch: release/2.4 | wm4 <nfxjfg at googlemail.com> | Wed Jun 17 00:21:02 2015 +0200| [9d0aa058c997db60de84d2e05b08dabead9cb6e0] | committer: Michael Niedermayer
avio: fix potential crashes when combining ffio_ensure_seekback + crc
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.
This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9d0aa058c997db60de84d2e05b08dabead9cb6e0
---
 libavformat/aviobuf.c |    3 +++
 1 file changed, 3 insertions(+)
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 30db4a6..74686d1 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -783,6 +783,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
     int max_buffer_size = s->max_packet_size ?
                           s->max_packet_size : IO_BUFFER_SIZE;
     int filled = s->buf_end - s->buffer;
+    ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;
 
     buf_size += s->buf_ptr - s->buffer + max_buffer_size;
 
@@ -800,6 +801,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
     s->buf_end = buffer + (s->buf_end - s->buffer);
     s->buffer = buffer;
     s->buffer_size = buf_size;
+    if (checksum_ptr_offset >= 0)
+        s->checksum_ptr = s->buffer + checksum_ptr_offset;
     return 0;
 }
 
    
    
More information about the ffmpeg-cvslog
mailing list