Commit 539603e8 authored by wm4's avatar wm4 Committed by Michael Niedermayer

avio: fix potential crashes when combining ffio_ensure_seekback + crc

Calling ffio_ensure_seekback() if ffio_init_checksum() has been called
on the same context can lead to out of bounds memory accesses and
crashes. The reason is that ffio_ensure_seekback() does not update
checksum_ptr after reallocating the buffer, resulting in a dangling
pointer.

This effectively fixes potential crashes when opening mp3 files.
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dc877587)

Conflicts:

	libavformat/aviobuf.c
parent f87d76e6
...@@ -765,6 +765,7 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size) ...@@ -765,6 +765,7 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size)
uint8_t *buffer; uint8_t *buffer;
int max_buffer_size = s->max_packet_size ? int max_buffer_size = s->max_packet_size ?
s->max_packet_size : IO_BUFFER_SIZE; s->max_packet_size : IO_BUFFER_SIZE;
ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;
buf_size += s->buf_ptr - s->buffer + max_buffer_size; buf_size += s->buf_ptr - s->buffer + max_buffer_size;
...@@ -782,6 +783,8 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size) ...@@ -782,6 +783,8 @@ int ffio_ensure_seekback(AVIOContext *s, int buf_size)
s->buf_end = buffer + (s->buf_end - s->buffer); s->buf_end = buffer + (s->buf_end - s->buffer);
s->buffer = buffer; s->buffer = buffer;
s->buffer_size = buf_size; s->buffer_size = buf_size;
if (checksum_ptr_offset >= 0)
s->checksum_ptr = s->buffer + checksum_ptr_offset;
return 0; return 0;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment