From patchwork Tue Jul  3 21:05:28 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 9598
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:104:0:0:0:0:0 with SMTP id c4-v6csp58488jad;
	Tue, 3 Jul 2018 14:06:42 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpfMG53X7xYaIPS5oW0mEFm/CZdrYDAwqtJbwu/3z21K+Ic4Iz8EcTlr60frXkf3bblc8jgB
X-Received: by 2002:a1c:3b05:: with SMTP id
	i5-v6mr2313074wma.57.1530652002426;
	Tue, 03 Jul 2018 14:06:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530652002; cv=none;
	d=google.com; s=arc-20160816;
	b=z8oX7+cAS2xZyLG5NwjtkkPzk4tbNC9IJp/bN2XO2ErRdpcxWhg85cNcpGFQJKGewo
	kx3JtbDo1GhroAax1nGIoJQvgDwQlTwZICZpWspJwatJu1gs8cjZWg3Q3jvzoI+16KMq
	aMx2DxqX20fpbjnqDD7JrmS0JmIIOEBp6H9VrKIqz3QOu897CWzCRKpLoemldgPw0YvF
	xZCAUNRRcNgvk+u1nhrQRgOaZilv/o8Yxoj9Mgb2v5o2/kuPn5THHgMcFga71hmHYXzT
	eu63oLcD3VOp5olNGX/8uXsW6dYDuN69WGEQE1Ce6Q8KxH3V1zb1YUPUjS2GGYAQlz6V
	c35g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:references:in-reply-to:message-id:date
	:to:from:delivered-to:arc-authentication-results;
	bh=TsxtE/rAA/A6XCPJQtpsKRWfZSQ66sZPlp/DEw2iAZs=;
	b=NOtCJGMBGir5G4K4MnXAip2Q6P2ZL6qg+NyHGAd/ZXOOGTU1JEssprGKsdvCAdToev
	eDEPPZGhcTRUKVFC0/VBEZeB0RM7tqU6afZXcHVv084yldIkUhTOqW9l0wctJ+XqmJVP
	8YQYNx4u40otx4mLpY3TPEroE7M75unl29AbMvv1tq9UZ6Ws2+eyE8UMPnlPQEujBDrP
	yAm66LYUQ+HTCKq/92cpVUw32PawKuvo5+gPoJbyj0mcKT54t6TYQHMIvdJRFufoxUkW
	TucU8ooO/gefuhbASF69H0EeIiIDT3rfWrBRSh8a1Cq1YxM45tPnKA90sNahHP7NJUpJ
	BkMA==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	g2-v6si1648780wmi.218.2018.07.03.14.06.42;
	Tue, 03 Jul 2018 14:06:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 52D5868A958;
	Wed,  4 Jul 2018 00:06:29 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe08-2.mx.upcmail.net
	(vie01a-dmta-pe08-2.mx.upcmail.net [84.116.36.21])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 96C3C68A94D
	for <ffmpeg-devel@ffmpeg.org>; Wed,  4 Jul 2018 00:06:22 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe08.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1faSVG-0003nq-7x
	for ffmpeg-devel@ffmpeg.org; Tue, 03 Jul 2018 23:06:26 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 6M6Q1y00U0S5wYM01M6Rzf; Tue, 03 Jul 2018 23:06:25 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue,  3 Jul 2018 23:05:28 +0200
Message-Id: <20180703210530.7493-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180703210530.7493-1-michael@niedermayer.cc>
References: <20180703210530.7493-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 4/6] avformat/rmdec: Do not pass mime type in
	rm_read_multi() to ff_rm_read_mdpr_codecdata()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: use after free()
Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rmdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index ac61723c66..0216003e88 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -522,7 +522,7 @@ static int rm_read_multi(AVFormatContext *s, AVIOContext *pb,
 
         size2 = avio_rb32(pb);
         ret = ff_rm_read_mdpr_codecdata(s, s->pb, st2, st2->priv_data,
-                                        size2, mime);
+                                        size2, NULL);
         if (ret < 0)
             return ret;
     }