Module: libav Branch: release/0.6 Commit: 88ea7ca6279720de9c8db0a4c9a2928e6c7f6061
Author: Chris Evans <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Thu Aug 4 22:00:29 2011 +0200 oggdec: prevent heap corruption. Specifically crafted samples can reinit ogg->streams[] while reading samples, and thus we should not cache old pointers since these may no longer be valid. Signed-off-by: Ronald S. Bultje <[email protected]> (cherry-picked from commit 4cc3467e7abfea7e8d03b6af511f7719038a5a98) --- libavformat/oggdec.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 3161e68..76b28ab 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -577,20 +577,19 @@ ogg_read_close (AVFormatContext * s) } -static int64_t -ogg_read_timestamp (AVFormatContext * s, int stream_index, int64_t * pos_arg, - int64_t pos_limit) +static int64_t ogg_read_timestamp (AVFormatContext * s, int stream_index, + int64_t * pos_arg, int64_t pos_limit) { struct ogg *ogg = s->priv_data; - struct ogg_stream *os = ogg->streams + stream_index; ByteIOContext *bc = s->pb; int64_t pts = AV_NOPTS_VALUE; - int i; + int i = -1; url_fseek(bc, *pos_arg, SEEK_SET); ogg_reset(ogg); while (url_ftell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) { if (i == stream_index) { + struct ogg_stream *os = ogg->streams + stream_index; pts = ogg_calc_pts(s, i, NULL); if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY)) pts = AV_NOPTS_VALUE; @@ -615,6 +614,7 @@ static int ogg_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp os->keyframe_seek = 1; ret = av_seek_frame_binary(s, stream_index, timestamp, flags); + os = ogg->streams + stream_index; if (ret < 0) os->keyframe_seek = 0; return ret; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
