dilim/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-06-24 08:48:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

avformat/ogg: Fix overflow and stale oggvorbis_private values

Browse Source 
- Prevent integer overflow when summing header lengths; add bounds check.
- Re-initialize priv->vp with the new stream's extradata once all chained
  stream headers are collected.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
This commit is contained in:
Dale Curtis
2026-05-21 20:55:41 +00:00
committed by toots
parent cd02463dc6
commit 6e0e13b0bf
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavformat/oggparsevorbis.c
View File

@@ -230,8 +230,11 @@ static int fixup_vorbis_headers(AVFormatContext *as,
int i, offset, len, err;
int buf_len;
unsigned char *ptr;
uint64_t total_len = (uint64_t)priv->len[0] + priv->len[1] + priv->len[2];
if (total_len + total_len / 255 + 64 > INT_MAX)
return AVERROR_INVALIDDATA;
len = priv->len[0] + priv->len[1] + priv->len[2];
len = total_len;
buf_len = len + len / 255 + 64;
if (*buf)
@@ -605,6 +608,13 @@ static int vorbis_packet(AVFormatContext *s, int idx)
priv->comment_size = 0;
av_freep(&priv->setup);
priv->setup_size = 0;
av_vorbis_parse_free(&priv->vp);
priv->vp = av_vorbis_parse_init(os->new_extradata, os->new_extradata_size);
if (!priv->vp) {
av_log(s, AV_LOG_ERROR, "Failed to re-initialize Vorbis parser\n");
return AVERROR_INVALIDDATA;
}
}
return skip_packet;