← Back to branch summary

~ubuntu-branches/ubuntu/raring/libav/raring-security

« back to all changes in this revision

Viewing changes to debian/patches/post-0.7.1/0070-Fix-memory-re-allocation-in-matroskadec.c-related-to.patch

  • Committer: Package Import Robot
  • Author(s): Reinhard Tartler
  • Date: 2011-09-28 09:18:34 UTC
  • mfrom: (1.3.7 sid)
  • Revision ID: package-import@ubuntu.com-20110928091834-w415mnuh06h4zpvc
Tags: 4:0.7.1-7ubuntu2
Revert "Convert package to include multiarch support."

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/post-0.7.1/0070-Fix-memory-re-allocation-in-matroskadec.c-related-to.patch
 
1
From 77d2ef13a8fa630e5081f14bde3fd20f84c90aec Mon Sep 17 00:00:00 2001
 
2
From: Michael Niedermayer <michaelni@gmx.at>
 
3
Date: Thu, 28 Jul 2011 14:59:54 +0200
 
4
Subject: [PATCH] Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
 
5
 
 
6
Whitespace of the patch cleaned up by Aurel
 
7
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
 
8
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 
9
 
 
10
(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)
 
11
 
 
12
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
 
13
implemented by Reinhard Tartler <siretart@tauware.de>
 
14
 
 
15
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
 
16
---
 
17
 libavformat/matroskadec.c |   37 +++++++++++++++++++++++++++++--------
 
18
 1 files changed, 29 insertions(+), 8 deletions(-)
 
19
 
 
20
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
 
21
index af5532b..89df095 100644
 
22
--- a/libavformat/matroskadec.c
 
23
+++ b/libavformat/matroskadec.c
 
24
@@ -801,11 +801,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
 
25
     uint32_t id = syntax->id;
 
26
     uint64_t length;
 
27
     int res;
 
28
+    void *newelem;
 
29
 
 
30
     data = (char *)data + syntax->data_offset;
 
31
     if (syntax->list_elem_size) {
 
32
         EbmlList *list = data;
 
33
-        list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
 
34
+        newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
 
35
+        if (!newelem)
 
36
+            return AVERROR(ENOMEM);
 
37
+        list->elem = newelem;
 
38
         data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
 
39
         memset(data, 0, syntax->list_elem_size);
 
40
         list->nb_elem++;
 
41
@@ -935,6 +939,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
 
42
     uint8_t* data = *buf;
 
43
     int isize = *buf_size;
 
44
     uint8_t* pkt_data = NULL;
 
45
+    uint8_t* newpktdata;
 
46
     int pkt_size = isize;
 
47
     int result = 0;
 
48
     int olen;
 
49
@@ -964,7 +969,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
 
50
         zstream.avail_in = isize;
 
51
         do {
 
52
             pkt_size *= 3;
 
53
-            pkt_data = av_realloc(pkt_data, pkt_size);
 
54
+            newpktdata = av_realloc(pkt_data, pkt_size);
 
55
+            if (!newpktdata) {
 
56
+                inflateEnd(&zstream);
 
57
+                goto failed;
 
58
+            }
 
59
+            pkt_data = newpktdata;
 
60
             zstream.avail_out = pkt_size - zstream.total_out;
 
61
             zstream.next_out = pkt_data + zstream.total_out;
 
62
             result = inflate(&zstream, Z_NO_FLUSH);
 
63
@@ -985,7 +995,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
 
64
         bzstream.avail_in = isize;
 
65
         do {
 
66
             pkt_size *= 3;
 
67
-            pkt_data = av_realloc(pkt_data, pkt_size);
 
68
+            newpktdata = av_realloc(pkt_data, pkt_size);
 
69
+            if (!newpktdata) {
 
70
+                BZ2_bzDecompressEnd(&bzstream);
 
71
+                goto failed;
 
72
+            }
 
73
+            pkt_data = newpktdata;
 
74
             bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
 
75
             bzstream.next_out = pkt_data + bzstream.total_out_lo32;
 
76
             result = BZ2_bzDecompress(&bzstream);
 
77
@@ -1040,13 +1055,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
 
78
     }
 
79
 }
 
80
 
 
81
-static void matroska_merge_packets(AVPacket *out, AVPacket *in)
 
82
+static int matroska_merge_packets(AVPacket *out, AVPacket *in)
 
83
 {
 
84
-    out->data = av_realloc(out->data, out->size+in->size);
 
85
+    void *newdata = av_realloc(out->data, out->size+in->size);
 
86
+    if (!newdata)
 
87
+        return AVERROR(ENOMEM);
 
88
+    out->data = newdata;
 
89
     memcpy(out->data+out->size, in->data, in->size);
 
90
     out->size += in->size;
 
91
     av_destruct_packet(in);
 
92
     av_free(in);
 
93
+    return 0;
 
94
 }
 
95
 
 
96
 static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
 
97
@@ -1604,11 +1623,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
 
98
         memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
 
99
         av_free(matroska->packets[0]);
 
100
         if (matroska->num_packets > 1) {
 
101
+            void *newpackets;
 
102
             memmove(&matroska->packets[0], &matroska->packets[1],
 
103
                     (matroska->num_packets - 1) * sizeof(AVPacket *));
 
104
-            matroska->packets =
 
105
-                av_realloc(matroska->packets, (matroska->num_packets - 1) *
 
106
-                           sizeof(AVPacket *));
 
107
+            newpackets = av_realloc(matroska->packets,
 
108
+                            (matroska->num_packets - 1) * sizeof(AVPacket *));
 
109
+            if (newpackets)
 
110
+                matroska->packets = newpackets;
 
111
         } else {
 
112
             av_freep(&matroska->packets);
 
113
         }
 
114
-- 
 
115
1.7.4.1
 
116