[SCM] ffmpeg/ubuntu: Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Wed Sep 28 07:45:00 UTC 2011
The following commit has been merged in the ubuntu branch:
commit a7fa29a0a3a497abc17d61f837f8ea96c08b3157
Author: Reinhard Tartler <siretart at tauware.de>
Date: Tue Sep 27 23:57:34 2011 +0200
Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080
diff --git a/debian/patches/post-0.7.1/0070-Fix-memory-re-allocation-in-matroskadec.c-related-to.patch b/debian/patches/post-0.7.1/0070-Fix-memory-re-allocation-in-matroskadec.c-related-to.patch
new file mode 100644
index 0000000..ee1eab3
--- /dev/null
+++ b/debian/patches/post-0.7.1/0070-Fix-memory-re-allocation-in-matroskadec.c-related-to.patch
@@ -0,0 +1,116 @@
+From 77d2ef13a8fa630e5081f14bde3fd20f84c90aec Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni at gmx.at>
+Date: Thu, 28 Jul 2011 14:59:54 +0200
+Subject: [PATCH] Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.
+
+Whitespace of the patch cleaned up by Aurel
+Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+
+(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)
+
+Further suggestions from Kostya <kostya.shishkov at gmail.com> have been
+implemented by Reinhard Tartler <siretart at tauware.de>
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/matroskadec.c | 37 +++++++++++++++++++++++++++++--------
+ 1 files changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
+index af5532b..89df095 100644
+--- a/libavformat/matroskadec.c
++++ b/libavformat/matroskadec.c
+@@ -801,11 +801,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
+ uint32_t id = syntax->id;
+ uint64_t length;
+ int res;
++ void *newelem;
+
+ data = (char *)data + syntax->data_offset;
+ if (syntax->list_elem_size) {
+ EbmlList *list = data;
+- list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
++ newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
++ if (!newelem)
++ return AVERROR(ENOMEM);
++ list->elem = newelem;
+ data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
+ memset(data, 0, syntax->list_elem_size);
+ list->nb_elem++;
+@@ -935,6 +939,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
+ uint8_t* data = *buf;
+ int isize = *buf_size;
+ uint8_t* pkt_data = NULL;
++ uint8_t* newpktdata;
+ int pkt_size = isize;
+ int result = 0;
+ int olen;
+@@ -964,7 +969,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
+ zstream.avail_in = isize;
+ do {
+ pkt_size *= 3;
+- pkt_data = av_realloc(pkt_data, pkt_size);
++ newpktdata = av_realloc(pkt_data, pkt_size);
++ if (!newpktdata) {
++ inflateEnd(&zstream);
++ goto failed;
++ }
++ pkt_data = newpktdata;
+ zstream.avail_out = pkt_size - zstream.total_out;
+ zstream.next_out = pkt_data + zstream.total_out;
+ result = inflate(&zstream, Z_NO_FLUSH);
+@@ -985,7 +995,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
+ bzstream.avail_in = isize;
+ do {
+ pkt_size *= 3;
+- pkt_data = av_realloc(pkt_data, pkt_size);
++ newpktdata = av_realloc(pkt_data, pkt_size);
++ if (!newpktdata) {
++ BZ2_bzDecompressEnd(&bzstream);
++ goto failed;
++ }
++ pkt_data = newpktdata;
+ bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
+ bzstream.next_out = pkt_data + bzstream.total_out_lo32;
+ result = BZ2_bzDecompress(&bzstream);
+@@ -1040,13 +1055,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
+ }
+ }
+
+-static void matroska_merge_packets(AVPacket *out, AVPacket *in)
++static int matroska_merge_packets(AVPacket *out, AVPacket *in)
+ {
+- out->data = av_realloc(out->data, out->size+in->size);
++ void *newdata = av_realloc(out->data, out->size+in->size);
++ if (!newdata)
++ return AVERROR(ENOMEM);
++ out->data = newdata;
+ memcpy(out->data+out->size, in->data, in->size);
+ out->size += in->size;
+ av_destruct_packet(in);
+ av_free(in);
++ return 0;
+ }
+
+ static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
+@@ -1604,11 +1623,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
+ memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
+ av_free(matroska->packets[0]);
+ if (matroska->num_packets > 1) {
++ void *newpackets;
+ memmove(&matroska->packets[0], &matroska->packets[1],
+ (matroska->num_packets - 1) * sizeof(AVPacket *));
+- matroska->packets =
+- av_realloc(matroska->packets, (matroska->num_packets - 1) *
+- sizeof(AVPacket *));
++ newpackets = av_realloc(matroska->packets,
++ (matroska->num_packets - 1) * sizeof(AVPacket *));
++ if (newpackets)
++ matroska->packets = newpackets;
+ } else {
+ av_freep(&matroska->packets);
+ }
+--
+1.7.4.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 8d109b9..f16bfac 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -67,6 +67,7 @@ post-0.7.1/0066-rv34-Fix-potential-overreads.patch
post-0.7.1/0067-rv34-Check-for-invalid-slice-offsets.patch
post-0.7.1/0068-ppc-fix-32-bit-PIC-build.patch
post-0.7.1/0069-ppc-fix-some-pointer-to-integer-casts.patch
+post-0.7.1/0070-Fix-memory-re-allocation-in-matroskadec.c-related-to.patch
01-Tweak-doxygen-config.patch
02-make-MAP_ANONYMOUS_AVAILABLE.patch
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list