ffmpeg | branch: release/2.2 | wm4 <nfx...@googlemail.com> | Wed Jun 17 00:21:02 2015 +0200| [539603e8770faa416f9b8383ddc8659e3b463bca] | committer: Michael Niedermayer
avio: fix potential crashes when combining ffio_ensure_seekback + crc Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer <michae...@gmx.at> (cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845) Conflicts: libavformat/aviobuf.c > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=539603e8770faa416f9b8383ddc8659e3b463bca --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index db5a0f3..a311f53 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -765,6 +765,7 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size) uint8_t *buffer; int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -782,6 +783,8 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog