On Thu, Jan 08, 2015 at 05:19:17PM +0100, wm4 wrote: > dvdsub_decode() can call append_to_cached_buf() 2 times, the second time > with ctx->buf as argument. If the second append_to_cached_buf() reallocs > ctx->buf, the argument will be a pointer to the previous, freed block. > This can cause invalid reads at least with some fuzzed files - and > possibly with valid files. > > Since packets can apparently not be larger than 64K (even if packets are > combined), just use a fixed size buffer. It will be allocated as part of > the DVDSubContext, and although some memory is "wasted", it's relatively > minimal by modern standards and should be acceptable. > --- > libavcodec/dvdsubdec.c | 12 +++--------- > 1 file changed, 3 insertions(+), 9 deletions(-)
applied thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Many things microsoft did are stupid, but not doing something just because microsoft did it is even more stupid. If everything ms did were stupid they would be bankrupt already.
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
