[vlc-commits] demux: ogg: fix use after free (fix #12360)
Francois Cartegnie
git at videolan.org
Thu Oct 9 00:08:09 CEST 2014
vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Oct 8 19:13:25 2014 +0200| [b3664586b7db3bd94fad7dd12b9cad3633eaef1a] | committer: Francois Cartegnie
demux: ogg: fix use after free (fix #12360)
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=b3664586b7db3bd94fad7dd12b9cad3633eaef1a
---
modules/demux/ogg.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/modules/demux/ogg.c b/modules/demux/ogg.c
index b7b9711..260ea48 100644
--- a/modules/demux/ogg.c
+++ b/modules/demux/ogg.c
@@ -1460,7 +1460,6 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
demux_sys_t *p_ogg = p_demux->p_sys ;
ogg_packet oggpacket;
- int i_stream = 0;
p_ogg->i_total_length = stream_Size ( p_demux->s );
msg_Dbg( p_demux, "File length is %"PRId64" bytes", p_ogg->i_total_length );
@@ -1476,16 +1475,12 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
* We found the beginning of our first logical stream. */
while( ogg_page_bos( &p_ogg->current_page ) )
{
- logical_stream_t *p_stream;
-
- p_stream = malloc( sizeof(logical_stream_t) );
+ logical_stream_t *p_stream = calloc( 1, sizeof(logical_stream_t) );
if( unlikely( !p_stream ) )
return VLC_ENOMEM;
TAB_APPEND( p_ogg->i_streams, p_ogg->pp_stream, p_stream );
- memset( p_stream, 0, sizeof(logical_stream_t) );
-
es_format_Init( &p_stream->fmt, 0, 0 );
es_format_Init( &p_stream->fmt_old, 0, 0 );
p_stream->b_initializing = true;
@@ -1517,6 +1512,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid vorbis header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1535,6 +1531,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid Speex header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1583,6 +1580,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid Flac header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1598,6 +1596,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid Theora header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1628,6 +1627,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Warn( p_demux, "found dirac header isn't decodable" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1665,6 +1665,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid VP8 header found");
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1674,7 +1675,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
Ogg_ReadAnnodexHeader( p_demux, p_stream, &oggpacket );
/* kill annodex track */
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
/* Check for Annodex header */
@@ -1693,6 +1694,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid kate header found");
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1798,6 +1800,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid oggds audio header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1805,7 +1808,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "stream %d has an old header "
"but is of an unknown type", p_ogg->i_streams-1 );
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
}
@@ -1928,6 +1931,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid oggds audio header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1946,7 +1950,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "stream %d has a header marker "
"but is of an unknown type", p_ogg->i_streams-1 );
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
}
@@ -1963,12 +1967,13 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "stream %d is of unknown type",
p_ogg->i_streams-1 );
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
/* we'll need to get all headers */
- p_ogg->pp_stream[i_stream]->b_initializing &= p_ogg->pp_stream[i_stream]->b_force_backup;
+ if ( p_stream )
+ p_stream->b_initializing &= p_stream->b_force_backup;
if( Ogg_ReadPage( p_demux, &p_ogg->current_page ) != VLC_SUCCESS )
return VLC_EGENERIC;
@@ -1977,7 +1982,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
/* This is the first data page, which means we are now finished
* with the initial pages. We just need to store it in the relevant
* bitstream. */
- for( i_stream = 0; i_stream < p_ogg->i_streams; i_stream++ )
+ for( int i_stream = 0; i_stream < p_ogg->i_streams; i_stream++ )
{
if( ogg_stream_pagein( &p_ogg->pp_stream[i_stream]->os,
&p_ogg->current_page ) == 0 )
More information about the vlc-commits
mailing list