From 32d023eb6d0a80be551d8cfb207df61928db930b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 21:44:26 +0200 Subject: [PATCH] avformat/oggdec: Check buf before copying data in to it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: aace024653cc62947336b86f8de812ab_signal_sigsegv_a0500f_343_WobblyWindowsIntro.ogg with memlimit 262144 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 72d96e829c..0a9f33717b 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -60,6 +60,7 @@ static const struct ogg_codec * const ogg_codecs[] = { static int64_t ogg_calc_pts(AVFormatContext *s, int idx, int64_t *dts); static int ogg_new_stream(AVFormatContext *s, uint32_t serial); +static int ogg_restore(AVFormatContext *s, int discard); //FIXME We could avoid some structure duplication static int ogg_save(AVFormatContext *s) @@ -68,6 +69,7 @@ static int ogg_save(AVFormatContext *s) struct ogg_state *ost = av_malloc(sizeof(*ost) + (ogg->nstreams - 1) * sizeof(*ogg->streams)); int i; + int ret = 0; if (!ost) return AVERROR(ENOMEM); @@ -81,14 +83,20 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++) { struct ogg_stream *os = ogg->streams + i; os->buf = av_mallocz(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); - memcpy(os->buf, ost->streams[i].buf, os->bufpos); + if (os->buf) + memcpy(os->buf, ost->streams[i].buf, os->bufpos); + else + ret = AVERROR(ENOMEM); os->new_metadata = NULL; os->new_metadata_size = 0; } ogg->state = ost; - return 0; + if (ret < 0) + ogg_restore(s, 0); + + return ret; } static int ogg_restore(AVFormatContext *s, int discard)