On Fri, 24 Feb 2012 16:12:18 -0800, "Ronald S. Bultje" <[email protected]> wrote: > From: "Ronald S. Bultje" <[email protected]> > > This prevents certain tags with a default value assigned to them (as per > the EBML syntax elements) from ever being assigned a NULL value. Other > parts of the code rely on these being non-NULL (i.e. they don't check for > NULL before e.g. using the string in strcmp() or similar), and thus in > effect this prevents crashes when reading of such specific tags fails, > either because of low memory or because of targeted file corruption. > > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavformat/matroskadec.c | 13 ++++++++----- > 1 files changed, 8 insertions(+), 5 deletions(-) > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > index 4d02488..eadf653 100644 > --- a/libavformat/matroskadec.c > +++ b/libavformat/matroskadec.c > @@ -639,16 +639,19 @@ static int ebml_read_float(AVIOContext *pb, int size, > double *num) > */ > static int ebml_read_ascii(AVIOContext *pb, int size, char **str) > { > - av_free(*str); > + char *res; > + > /* EBML strings are usually not 0-terminated, so we allocate one > * byte more, read the string and NULL-terminate it ourselves. */ > - if (!(*str = av_malloc(size + 1))) > + if (!(res = av_malloc(size + 1))) > return AVERROR(ENOMEM); > - if (avio_read(pb, (uint8_t *) *str, size) != size) { > - av_freep(str); > + if (avio_read(pb, (uint8_t *) res, size) != size) { > + av_free(res); > return AVERROR(EIO); > } > - (*str)[size] = '\0'; > + (res)[size] = '\0'; > + av_free(*str); > + *str = res; > > return 0; > } > -- > 1.7.7.4 >
Looks ok. -- Anton Khirnov _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
