1 |
Description: fix denial of service and possible code execution via malformed OGG |
2 |
Origin: upstream, http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd63c32ff6f6a24dc971a0bb2ca8f8a4f57e79da |
3 |
Bug: http://code.google.com/p/chromium/issues/detail?id=71788 |
4 |
|
5 |
diff -Nur ffmpeg-0.6/libavformat/oggdec.c ffmpeg-0.6.new/libavformat/oggdec.c |
6 |
--- ffmpeg-0.6/libavformat/oggdec.c 2010-05-23 22:09:36.000000000 -0400 |
7 |
+++ ffmpeg-0.6.new/libavformat/oggdec.c 2011-09-16 09:31:56.456351992 -0400 |
8 |
@@ -582,15 +582,15 @@ |
9 |
int64_t pos_limit) |
10 |
{ |
11 |
struct ogg *ogg = s->priv_data; |
12 |
- struct ogg_stream *os = ogg->streams + stream_index; |
13 |
ByteIOContext *bc = s->pb; |
14 |
int64_t pts = AV_NOPTS_VALUE; |
15 |
- int i; |
16 |
+ int i = -1; |
17 |
url_fseek(bc, *pos_arg, SEEK_SET); |
18 |
ogg_reset(ogg); |
19 |
|
20 |
while (url_ftell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) { |
21 |
if (i == stream_index) { |
22 |
+ struct ogg_stream *os = ogg->streams + stream_index; |
23 |
pts = ogg_calc_pts(s, i, NULL); |
24 |
if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY)) |
25 |
pts = AV_NOPTS_VALUE; |
26 |
@@ -615,6 +615,7 @@ |
27 |
os->keyframe_seek = 1; |
28 |
|
29 |
ret = av_seek_frame_binary(s, stream_index, timestamp, flags); |
30 |
+ os = ogg->streams + stream_index; |
31 |
if (ret < 0) |
32 |
os->keyframe_seek = 0; |
33 |
return ret; |