diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-25 15:28:50 +0400 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-01 20:33:29 +0400 |
| commit | 96ed18cab1048f03ff1c825f46b25d49218f1da4 (patch) | |
| tree | 0554729de2c95641c66482fbf0de577a1607ab08 /libavcodec | |
| parent | a207a2fecc6a77735ab0cf209fdba0b4dd942a86 (diff) | |
shorten: Use separate pointers for the allocated memory for decoded samples.
Fixes invalid free() if any of the buffers are not allocated due to either
not decoding a header or an error prior to allocating all buffers.
Fixes CVE-2012-0858
CC: libav-stable@libav.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6fc3287b9ccece290c5881b92948772bbf72e68c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/shorten.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7ce58ef0d3..b8c1908357 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -81,6 +81,7 @@ typedef struct ShortenContext { int channels; int32_t *decoded[MAX_CHANNELS]; + int32_t *decoded_base[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; int *coeffs; uint8_t *bitstream; @@ -130,13 +131,14 @@ static int allocate_buffers(ShortenContext *s) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; - tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap)); + tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) * + sizeof(s->decoded_base[0][0])); if (!tmp_ptr) return AVERROR(ENOMEM); - s->decoded[chan] = tmp_ptr; + s->decoded_base[chan] = tmp_ptr; for (i=0; i<s->nwrap; i++) - s->decoded[chan][i] = 0; - s->decoded[chan] += s->nwrap; + s->decoded_base[chan][i] = 0; + s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); @@ -542,8 +544,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) int i; for (i = 0; i < s->channels; i++) { - s->decoded[i] -= s->nwrap; - av_freep(&s->decoded[i]); + s->decoded[i] = NULL; + av_freep(&s->decoded_base[i]); av_freep(&s->offset[i]); } av_freep(&s->bitstream); |