My original patch missed two allocations, the new one gets them all. Thanks in advance.
- dale On Wed, Mar 7, 2012 at 2:26 PM, <[email protected]> wrote: > From: Dale Curtis <[email protected]> > > The ogg decoder wasn't padding the input buffer with the appropriate > FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in > various pieces of parsing code when they thought they had more data than > they actually did. > > Signed-off-by: Dale Curtis <[email protected]> > --- > libavformat/oggdec.c | 10 +++++----- > 1 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c > index 39f99e5..bdd2c5b 100644 > --- a/libavformat/oggdec.c > +++ b/libavformat/oggdec.c > @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s) > > for (i = 0; i < ogg->nstreams; i++){ > struct ogg_stream *os = ogg->streams + i; > - os->buf = av_malloc (os->bufsize); > - memset (os->buf, 0, os->bufsize); > + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); > memcpy (os->buf, ost->streams[i].buf, os->bufpos); > } > > @@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t > serial, int new_avstream) > os = ogg->streams + idx; > os->serial = serial; > os->bufsize = DECODER_BUFFER_SIZE; > - os->buf = av_malloc(os->bufsize); > + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); > os->header = -1; > > if (new_avstream) { > @@ -185,7 +184,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t > serial, int new_avstream) > static int ogg_new_buf(struct ogg *ogg, int idx) > { > struct ogg_stream *os = ogg->streams + idx; > - uint8_t *nb = av_malloc(os->bufsize); > + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); > int size = os->bufpos - os->pstart; > if(os->buf){ > memcpy(nb, os->buf + os->pstart, size); > @@ -299,7 +298,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) > } > > if (os->bufsize - os->bufpos < size){ > - uint8_t *nb = av_malloc (os->bufsize *= 2); > + uint8_t *nb = av_malloc ((os->bufsize *= 2) + > FF_INPUT_BUFFER_PADDING_SIZE); > memcpy (nb, os->buf, os->bufpos); > av_free (os->buf); > os->buf = nb; > @@ -313,6 +312,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) > os->granule = gp; > os->flags = flags; > > + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); > if (str) > *str = idx; > > -- > 1.7.7.3 > >
_______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
