[FFmpeg-cvslog] matroskadec: prevent access of elements after freeing
Michael Schenk
git at videolan.org
Wed Nov 30 02:16:31 EET 2016
ffmpeg | branch: master | Michael Schenk <michael.schenk at albis-elcon.com> | Fri Nov 25 09:36:20 2016 +0100| [18b94669372d3d4b6c51e347587ea64acef9dbb8] | committer: Andreas Cadhalpun
matroskadec: prevent access of elements after freeing
Using the decode interrupt feature of ffmpeg may cause crashes by
accessing previously freed pointers in matroska_read_close.
To prevent this reset nb_elem to zero after freeing the elements,
because ffmpeg normally tests for nb_elem.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18b94669372d3d4b6c51e347587ea64acef9dbb8
---
libavformat/matroskadec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index f79511e..d96e861 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1237,6 +1237,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data)
j++, ptr += syntax[i].list_elem_size)
ebml_free(syntax[i].def.n, ptr);
av_freep(&list->elem);
+ list->nb_elem = 0;
} else
ebml_free(syntax[i].def.n, data_off);
default:
More information about the ffmpeg-cvslog
mailing list