avio: fix potential crashes when combining ffio_ensure_seekback + crc

Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago · dc87758775
parent e29d996149
commit dc87758775
1 changed files with 3 additions and 0 deletions
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@ -813,6 +813,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    int max_buffer_size = s->max_packet_size ?
                          s->max_packet_size : IO_BUFFER_SIZE;
    int filled = s->buf_end - s->buffer;
+    ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1;

    buf_size += s->buf_ptr - s->buffer + max_buffer_size;

@ -830,6 +831,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
    s->buf_end = buffer + (s->buf_end - s->buffer);
    s->buffer = buffer;
    s->buffer_size = buf_size;
+    if (checksum_ptr_offset >= 0)
+        s->checksum_ptr = s->buffer + checksum_ptr_offset;
    return 0;
 }