[vlc-commits] demux: ogg: fix use after free (fix #12360)
Francois Cartegnie
git at videolan.org
Thu Oct 9 13:41:36 CEST 2014
vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Oct 8 19:13:25 2014 +0200| [abf74133941284b0af3b5c2240460b8017037e92] | committer: Jean-Baptiste Kempf
demux: ogg: fix use after free (fix #12360)
(cherry picked from commit b3664586b7db3bd94fad7dd12b9cad3633eaef1a)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=abf74133941284b0af3b5c2240460b8017037e92
---
modules/demux/ogg.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/modules/demux/ogg.c b/modules/demux/ogg.c
index d7cd179..d69a675 100644
--- a/modules/demux/ogg.c
+++ b/modules/demux/ogg.c
@@ -1488,7 +1488,6 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
demux_sys_t *p_ogg = p_demux->p_sys ;
ogg_packet oggpacket;
- int i_stream = 0;
p_ogg->i_total_length = stream_Size ( p_demux->s );
msg_Dbg( p_demux, "File length is %"PRId64" bytes", p_ogg->i_total_length );
@@ -1504,16 +1503,12 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
* We found the beginning of our first logical stream. */
while( ogg_page_bos( &p_ogg->current_page ) )
{
- logical_stream_t *p_stream;
-
- p_stream = malloc( sizeof(logical_stream_t) );
+ logical_stream_t *p_stream = calloc( 1, sizeof(logical_stream_t) );
if( unlikely( !p_stream ) )
return VLC_ENOMEM;
TAB_APPEND( p_ogg->i_streams, p_ogg->pp_stream, p_stream );
- memset( p_stream, 0, sizeof(logical_stream_t) );
-
es_format_Init( &p_stream->fmt, 0, 0 );
es_format_Init( &p_stream->fmt_old, 0, 0 );
p_stream->b_initializing = true;
@@ -1545,6 +1540,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid vorbis header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1563,6 +1559,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid Speex header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1611,6 +1608,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid Flac header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1626,6 +1624,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "found invalid Theora header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1641,6 +1640,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Warn( p_demux, "found dirac header isn't decodable" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1678,6 +1678,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid VP8 header found");
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1687,7 +1688,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
Ogg_ReadAnnodexHeader( p_demux, p_stream, &oggpacket );
/* kill annodex track */
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
/* Check for Annodex header */
@@ -1706,6 +1707,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid kate header found");
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1811,6 +1813,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid oggds audio header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1818,7 +1821,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "stream %d has an old header "
"but is of an unknown type", p_ogg->i_streams-1 );
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
}
@@ -1941,6 +1944,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "invalid oggds audio header" );
Ogg_LogicalStreamDelete( p_demux, p_stream );
+ p_stream = NULL;
p_ogg->i_streams--;
}
}
@@ -1959,7 +1963,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "stream %d has a header marker "
"but is of an unknown type", p_ogg->i_streams-1 );
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
}
@@ -1976,12 +1980,13 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{
msg_Dbg( p_demux, "stream %d is of unknown type",
p_ogg->i_streams-1 );
- free( p_stream );
+ FREENULL( p_stream );
p_ogg->i_streams--;
}
/* we'll need to get all headers */
- p_ogg->pp_stream[i_stream]->b_initializing &= p_ogg->pp_stream[i_stream]->b_force_backup;
+ if ( p_stream )
+ p_stream->b_initializing &= p_stream->b_force_backup;
if( Ogg_ReadPage( p_demux, &p_ogg->current_page ) != VLC_SUCCESS )
return VLC_EGENERIC;
@@ -1990,7 +1995,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
/* This is the first data page, which means we are now finished
* with the initial pages. We just need to store it in the relevant
* bitstream. */
- for( i_stream = 0; i_stream < p_ogg->i_streams; i_stream++ )
+ for( int i_stream = 0; i_stream < p_ogg->i_streams; i_stream++ )
{
if( ogg_stream_pagein( &p_ogg->pp_stream[i_stream]->os,
&p_ogg->current_page ) == 0 )
More information about the vlc-commits
mailing list