From 8829c79039379e7fde64a837f3dbae088a4dbdbb Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Fri, 4 Jan 2013 16:05:51 +0100
Subject: [PATCH] oggdec: make sure the private parse data is cleaned up
 (cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646)

Related to CVE-2012-2882

Conflicts:

	libavformat/oggdec.h
	libavformat/oggparsevorbis.c
---
 libavformat/oggdec.c         |  4 ++++
 libavformat/oggdec.h         |  5 +++++
 libavformat/oggparsevorbis.c | 14 +++++++++++++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 3079685652..2a1c0a5f6f 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -508,6 +508,10 @@ static int ogg_read_close(AVFormatContext *s)
 
     for (i = 0; i < ogg->nstreams; i++) {
         av_free(ogg->streams[i].buf);
+        if (ogg->streams[i].codec &&
+            ogg->streams[i].codec->cleanup) {
+            ogg->streams[i].codec->cleanup(s, i);
+        }
         av_free(ogg->streams[i].private);
     }
     av_free(ogg->streams);
diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h
index 184a628622..1a702c32d2 100644
--- a/libavformat/oggdec.h
+++ b/libavformat/oggdec.h
@@ -51,6 +51,11 @@ struct ogg_codec {
      * 0 if granule is the end time of the associated packet.
      */
     int granule_is_start;
+    /**
+     * Number of expected headers
+     */
+    int nb_header;
+    void (*cleanup)(AVFormatContext *s, int idx);
 };
 
 struct ogg_stream {
diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index ba9b348456..0c26684dd2 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -188,6 +188,16 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv,
     return offset;
 }
 
+static int vorbis_cleanup(AVFormatContext *s, int idx)
+{
+    struct ogg *ogg = s->priv_data;
+    struct ogg_stream *os = ogg->streams + idx;
+    struct oggvorbis_private *priv = os->private;
+    int i;
+    if (os->private)
+        for (i = 0; i < 3; i++)
+            av_freep(&priv->packet[i]);
+}
 
 static int
 vorbis_header (AVFormatContext * s, int idx)
@@ -278,5 +288,7 @@ vorbis_header (AVFormatContext * s, int idx)
 const struct ogg_codec ff_vorbis_codec = {
     .magic = "\001vorbis",
     .magicsize = 7,
-    .header = vorbis_header
+    .header = vorbis_header,
+    .cleanup= vorbis_cleanup,
+    .nb_header = 3,
 };