It might be passed to code requiring padding, such as lzo decompression.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:[email protected]
---
libavformat/matroskadec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index f798342..764dbf8 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -734,9 +734,11 @@ static int ebml_read_ascii(AVIOContext *pb, int size, char
**str)
static int ebml_read_binary(AVIOContext *pb, int length, EbmlBin *bin)
{
av_free(bin->data);
- if (!(bin->data = av_malloc(length)))
+ if (!(bin->data = av_malloc(length + FF_INPUT_BUFFER_PADDING_SIZE)))
return AVERROR(ENOMEM);
+ memset(bin->data + length, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+
bin->size = length;
bin->pos = avio_tell(pb);
if (avio_read(pb, bin->data, length) != length) {
--
1.7.10.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
