virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc()

Browse Source 
Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Chris Evans
2012-01-05 21:19:30 +01:00
committed by Reinhard Tartler
parent ce23b2af18
commit faaec4676c
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libavformat/matroskadec.c
View File

@@ -1188,7 +1188,6 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, int idx
static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
{ {
EbmlList *seekhead_list = &matroska->seekhead; EbmlList *seekhead_list = &matroska->seekhead;
MatroskaSeekhead *seekhead = seekhead_list->elem;
int64_t before_pos = avio_tell(matroska->ctx->pb); int64_t before_pos = avio_tell(matroska->ctx->pb);
int i; int i;
@@ -1198,6 +1197,7 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska)
return; return;
for (i = 0; i < seekhead_list->nb_elem; i++) { for (i = 0; i < seekhead_list->nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos) if (seekhead[i].pos <= before_pos)
continue; continue;