avio: fix potential crashes when combining ffio_ensure_seekback + crc

Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit dc877587) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avio: fix potential crashes when combining ffio_ensure_seekback + crc
Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit dc877587) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
3903a60d · wm4 · Michael Niedermayer · 58a0dc1b · 3903a60d
Commit 3903a60d authored Jun 16, 2015 by wm4 Committed by Michael Niedermayer Jul 28, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

aviobuf.c libavformat/aviobuf.c +3 -0

No files found.
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -785,6 +785,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    int max_buffer_size = s->max_packet_size ?
                          s->max_packet_size : IO_BUFFER_SIZE;
    int filled = s->buf_end - s->buffer;
+    ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;
    buf_size += s->buf_ptr - s->buffer + max_buffer_size;
@@ -802,6 +803,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    s->buf_end = buffer + (s->buf_end - s->buffer);
    s->buffer = buffer;
    s->buffer_size = buf_size;
+    if (checksum_ptr_offset >= 0)
+        s->checksum_ptr = s->buffer + checksum_ptr_offset;
    return 0;
 }