| 1 |
Description: fix denial of service and possible code execution via malformed OGG |
| 2 |
Origin: upstream, http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd63c32ff6f6a24dc971a0bb2ca8f8a4f57e79da |
| 3 |
Bug: http://code.google.com/p/chromium/issues/detail?id=71788 |
| 4 |
|
| 5 |
diff -Nur ffmpeg-0.6/libavformat/oggdec.c ffmpeg-0.6.new/libavformat/oggdec.c |
| 6 |
--- ffmpeg-0.6/libavformat/oggdec.c 2010-05-23 22:09:36.000000000 -0400 |
| 7 |
+++ ffmpeg-0.6.new/libavformat/oggdec.c 2011-09-16 09:31:56.456351992 -0400 |
| 8 |
@@ -582,15 +582,15 @@ |
| 9 |
int64_t pos_limit) |
| 10 |
{ |
| 11 |
struct ogg *ogg = s->priv_data; |
| 12 |
- struct ogg_stream *os = ogg->streams + stream_index; |
| 13 |
ByteIOContext *bc = s->pb; |
| 14 |
int64_t pts = AV_NOPTS_VALUE; |
| 15 |
- int i; |
| 16 |
+ int i = -1; |
| 17 |
url_fseek(bc, *pos_arg, SEEK_SET); |
| 18 |
ogg_reset(ogg); |
| 19 |
|
| 20 |
while (url_ftell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) { |
| 21 |
if (i == stream_index) { |
| 22 |
+ struct ogg_stream *os = ogg->streams + stream_index; |
| 23 |
pts = ogg_calc_pts(s, i, NULL); |
| 24 |
if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY)) |
| 25 |
pts = AV_NOPTS_VALUE; |
| 26 |
@@ -615,6 +615,7 @@ |
| 27 |
os->keyframe_seek = 1; |
| 28 |
|
| 29 |
ret = av_seek_frame_binary(s, stream_index, timestamp, flags); |
| 30 |
+ os = ogg->streams + stream_index; |
| 31 |
if (ret < 0) |
| 32 |
os->keyframe_seek = 0; |
| 33 |
return ret; |
Parent Directory
| 
Revision Log