Skip to content

V
vlc-2-2
Commit abf74133 authored by Francois Cartegnie's avatar Francois Cartegnie Committed by Jean-Baptiste Kempf
Browse files
Options

demux: ogg: fix use after free (fix #12360) 

(cherry picked from commit b3664586b7db3bd94fad7dd12b9cad3633eaef1a)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 1530ef4f
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 12 deletions
modules/demux/ogg.c
View file @ abf74133
...@@ -1488,7 +1488,6 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1488,7 +1488,6 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
demux_sys_t *p_ogg = p_demux->p_sys ; demux_sys_t *p_ogg = p_demux->p_sys ;
ogg_packet oggpacket; ogg_packet oggpacket;
int i_stream = 0;
p_ogg->i_total_length = stream_Size ( p_demux->s ); p_ogg->i_total_length = stream_Size ( p_demux->s );
msg_Dbg( p_demux, "File length is %"PRId64" bytes", p_ogg->i_total_length ); msg_Dbg( p_demux, "File length is %"PRId64" bytes", p_ogg->i_total_length );
...@@ -1504,16 +1503,12 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1504,16 +1503,12 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
* We found the beginning of our first logical stream. */ * We found the beginning of our first logical stream. */
while( ogg_page_bos( &p_ogg->current_page ) ) while( ogg_page_bos( &p_ogg->current_page ) )
{ {
logical_stream_t *p_stream; logical_stream_t *p_stream = calloc( 1, sizeof(logical_stream_t) );
p_stream = malloc( sizeof(logical_stream_t) );
if( unlikely( !p_stream ) ) if( unlikely( !p_stream ) )
return VLC_ENOMEM; return VLC_ENOMEM;
TAB_APPEND( p_ogg->i_streams, p_ogg->pp_stream, p_stream ); TAB_APPEND( p_ogg->i_streams, p_ogg->pp_stream, p_stream );
memset( p_stream, 0, sizeof(logical_stream_t) );
es_format_Init( &p_stream->fmt, 0, 0 ); es_format_Init( &p_stream->fmt, 0, 0 );
es_format_Init( &p_stream->fmt_old, 0, 0 ); es_format_Init( &p_stream->fmt_old, 0, 0 );
p_stream->b_initializing = true; p_stream->b_initializing = true;
...@@ -1545,6 +1540,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1545,6 +1540,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "found invalid vorbis header" ); msg_Dbg( p_demux, "found invalid vorbis header" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1563,6 +1559,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1563,6 +1559,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "found invalid Speex header" ); msg_Dbg( p_demux, "found invalid Speex header" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1611,6 +1608,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1611,6 +1608,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "found invalid Flac header" ); msg_Dbg( p_demux, "found invalid Flac header" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1626,6 +1624,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1626,6 +1624,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "found invalid Theora header" ); msg_Dbg( p_demux, "found invalid Theora header" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1641,6 +1640,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1641,6 +1640,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Warn( p_demux, "found dirac header isn't decodable" ); msg_Warn( p_demux, "found dirac header isn't decodable" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1678,6 +1678,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1678,6 +1678,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "invalid VP8 header found"); msg_Dbg( p_demux, "invalid VP8 header found");
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1687,7 +1688,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1687,7 +1688,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
Ogg_ReadAnnodexHeader( p_demux, p_stream, &oggpacket ); Ogg_ReadAnnodexHeader( p_demux, p_stream, &oggpacket );
/* kill annodex track */ /* kill annodex track */
free( p_stream ); FREENULL( p_stream );
p_ogg->i_streams--; p_ogg->i_streams--;
} }
/* Check for Annodex header */ /* Check for Annodex header */
...@@ -1706,6 +1707,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1706,6 +1707,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "invalid kate header found"); msg_Dbg( p_demux, "invalid kate header found");
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1811,6 +1813,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1811,6 +1813,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "invalid oggds audio header" ); msg_Dbg( p_demux, "invalid oggds audio header" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1818,7 +1821,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1818,7 +1821,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "stream %d has an old header " msg_Dbg( p_demux, "stream %d has an old header "
"but is of an unknown type", p_ogg->i_streams-1 ); "but is of an unknown type", p_ogg->i_streams-1 );
free( p_stream ); FREENULL( p_stream );
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1941,6 +1944,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1941,6 +1944,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "invalid oggds audio header" ); msg_Dbg( p_demux, "invalid oggds audio header" );
Ogg_LogicalStreamDelete( p_demux, p_stream ); Ogg_LogicalStreamDelete( p_demux, p_stream );
p_stream = NULL;
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1959,7 +1963,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1959,7 +1963,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "stream %d has a header marker " msg_Dbg( p_demux, "stream %d has a header marker "
"but is of an unknown type", p_ogg->i_streams-1 ); "but is of an unknown type", p_ogg->i_streams-1 );
free( p_stream ); FREENULL( p_stream );
p_ogg->i_streams--; p_ogg->i_streams--;
} }
} }
...@@ -1976,12 +1980,13 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1976,12 +1980,13 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
{ {
msg_Dbg( p_demux, "stream %d is of unknown type", msg_Dbg( p_demux, "stream %d is of unknown type",
p_ogg->i_streams-1 ); p_ogg->i_streams-1 );
free( p_stream ); FREENULL( p_stream );
p_ogg->i_streams--; p_ogg->i_streams--;
} }
/* we'll need to get all headers */ /* we'll need to get all headers */
p_ogg->pp_stream[i_stream]->b_initializing &= p_ogg->pp_stream[i_stream]->b_force_backup; if ( p_stream )
p_stream->b_initializing &= p_stream->b_force_backup;
if( Ogg_ReadPage( p_demux, &p_ogg->current_page ) != VLC_SUCCESS ) if( Ogg_ReadPage( p_demux, &p_ogg->current_page ) != VLC_SUCCESS )
return VLC_EGENERIC; return VLC_EGENERIC;
...@@ -1990,7 +1995,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux ) ...@@ -1990,7 +1995,7 @@ static int Ogg_FindLogicalStreams( demux_t *p_demux )
/* This is the first data page, which means we are now finished /* This is the first data page, which means we are now finished
* with the initial pages. We just need to store it in the relevant * with the initial pages. We just need to store it in the relevant
* bitstream. */ * bitstream. */
for( i_stream = 0; i_stream < p_ogg->i_streams; i_stream++ ) for( int i_stream = 0; i_stream < p_ogg->i_streams; i_stream++ )
{ {
if( ogg_stream_pagein( &p_ogg->pp_stream[i_stream]->os, if( ogg_stream_pagein( &p_ogg->pp_stream[i_stream]->os,
&p_ogg->current_page ) == 0 ) &p_ogg->current_page ) == 0 )
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment