1
From 77d2ef13a8fa630e5081f14bde3fd20f84c90aec Mon Sep 17 00:00:00 2001
2
From: Michael Niedermayer <michaelni@gmx.at>
3
Date: Thu, 28 Jul 2011 14:59:54 +0200
4
Subject: [PATCH] Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
6
Whitespace of the patch cleaned up by Aurel
7
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
8
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10
(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)
12
Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
13
implemented by Reinhard Tartler <siretart@tauware.de>
15
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
17
libavformat/matroskadec.c | 37 +++++++++++++++++++++++++++++--------
18
1 files changed, 29 insertions(+), 8 deletions(-)
20
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
21
index af5532b..89df095 100644
22
--- a/libavformat/matroskadec.c
23
+++ b/libavformat/matroskadec.c
24
@@ -801,11 +801,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
25
uint32_t id = syntax->id;
30
data = (char *)data + syntax->data_offset;
31
if (syntax->list_elem_size) {
32
EbmlList *list = data;
33
- list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
34
+ newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
36
+ return AVERROR(ENOMEM);
37
+ list->elem = newelem;
38
data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
39
memset(data, 0, syntax->list_elem_size);
41
@@ -935,6 +939,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
43
int isize = *buf_size;
44
uint8_t* pkt_data = NULL;
45
+ uint8_t* newpktdata;
49
@@ -964,7 +969,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
50
zstream.avail_in = isize;
53
- pkt_data = av_realloc(pkt_data, pkt_size);
54
+ newpktdata = av_realloc(pkt_data, pkt_size);
56
+ inflateEnd(&zstream);
59
+ pkt_data = newpktdata;
60
zstream.avail_out = pkt_size - zstream.total_out;
61
zstream.next_out = pkt_data + zstream.total_out;
62
result = inflate(&zstream, Z_NO_FLUSH);
63
@@ -985,7 +995,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
64
bzstream.avail_in = isize;
67
- pkt_data = av_realloc(pkt_data, pkt_size);
68
+ newpktdata = av_realloc(pkt_data, pkt_size);
70
+ BZ2_bzDecompressEnd(&bzstream);
73
+ pkt_data = newpktdata;
74
bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
75
bzstream.next_out = pkt_data + bzstream.total_out_lo32;
76
result = BZ2_bzDecompress(&bzstream);
77
@@ -1040,13 +1055,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
81
-static void matroska_merge_packets(AVPacket *out, AVPacket *in)
82
+static int matroska_merge_packets(AVPacket *out, AVPacket *in)
84
- out->data = av_realloc(out->data, out->size+in->size);
85
+ void *newdata = av_realloc(out->data, out->size+in->size);
87
+ return AVERROR(ENOMEM);
88
+ out->data = newdata;
89
memcpy(out->data+out->size, in->data, in->size);
90
out->size += in->size;
91
av_destruct_packet(in);
96
static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
97
@@ -1604,11 +1623,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
98
memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
99
av_free(matroska->packets[0]);
100
if (matroska->num_packets > 1) {
102
memmove(&matroska->packets[0], &matroska->packets[1],
103
(matroska->num_packets - 1) * sizeof(AVPacket *));
104
- matroska->packets =
105
- av_realloc(matroska->packets, (matroska->num_packets - 1) *
106
- sizeof(AVPacket *));
107
+ newpackets = av_realloc(matroska->packets,
108
+ (matroska->num_packets - 1) * sizeof(AVPacket *));
110
+ matroska->packets = newpackets;
112
av_freep(&matroska->packets);