[FFmpeg-devel,6/7] lavf/flacenc: avoid buffer overread with unexpected extradata sizes

Submitted by Rodger Combs on Aug. 2, 2017, 6:30 a.m.

Details

Message ID 1501655445-18976-6-git-send-email-rodger.combs@gmail.com
State New
Headers show

Commit Message

Rodger Combs Aug. 2, 2017, 6:30 a.m.
---
 libavformat/flacenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Aug. 2, 2017, 1 p.m.
On Wed, Aug 02, 2017 at 01:30:44AM -0500, Rodger Combs wrote:
> ---
>  libavformat/flacenc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c
> index 9768b6a..1906aee 100644
> --- a/libavformat/flacenc.c
> +++ b/libavformat/flacenc.c
> @@ -322,7 +322,7 @@ static int flac_write_trailer(struct AVFormatContext *s)
>      if (!c->write_header || !streaminfo)
>          return 0;
>  
> -    if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
> +    if (pb->seekable & AVIO_SEEKABLE_NORMAL && (c->streaminfo || s->streams[0]->codecpar->extradata_size == FLAC_STREAMINFO_SIZE)) {


this looks a bit odd

uint8_t *streaminfo = c->streaminfo ? c->streaminfo :
                                          s->streams[0]->codecpar->extradata;
...
> +    if (pb->seekable & AVIO_SEEKABLE_NORMAL && (c->streaminfo || s->streams[0]->codecpar->extradata_size == FLAC_STREAMINFO_SIZE)) {

isnt this just "&& c->streaminfo" ?

also is s->streams[0] correct ?
shouldnt this use c->audio_stream_idx ?

[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c
index 9768b6a..1906aee 100644
--- a/libavformat/flacenc.c
+++ b/libavformat/flacenc.c
@@ -322,7 +322,7 @@  static int flac_write_trailer(struct AVFormatContext *s)
     if (!c->write_header || !streaminfo)
         return 0;
 
-    if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
+    if (pb->seekable & AVIO_SEEKABLE_NORMAL && (c->streaminfo || s->streams[0]->codecpar->extradata_size == FLAC_STREAMINFO_SIZE)) {
         /* rewrite the STREAMINFO header block data */
         file_size = avio_tell(pb);
         avio_seek(pb, 8, SEEK_SET);