third_party_ffmpeg/libavformat/oggparsecelt.c
Michael Niedermayer 7140761481 avformat/oggparsecelt: Do not re-allocate os->private
Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856

Found-by: ClusterFuzz
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-25 22:04:34 +02:00

96 lines
3.0 KiB
C

/*
* Xiph CELT parser for Ogg
* Copyright (c) 2011 Nicolas George
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <string.h>
#include "libavutil/intreadwrite.h"
#include "avformat.h"
#include "internal.h"
#include "oggdec.h"
struct oggcelt_private {
int extra_headers_left;
};
static int celt_header(AVFormatContext *s, int idx)
{
struct ogg *ogg = s->priv_data;
struct ogg_stream *os = ogg->streams + idx;
AVStream *st = s->streams[idx];
struct oggcelt_private *priv = os->private;
uint8_t *p = os->buf + os->pstart;
if (os->psize == 60 &&
!memcmp(p, ff_celt_codec.magic, ff_celt_codec.magicsize)) {
/* Main header */
uint32_t version, sample_rate, nb_channels;
uint32_t overlap, extra_headers;
priv = av_malloc(sizeof(struct oggcelt_private));
if (!priv)
return AVERROR(ENOMEM);
if (ff_alloc_extradata(st->codecpar, 2 * sizeof(uint32_t)) < 0) {
av_free(priv);
return AVERROR(ENOMEM);
}
version = AV_RL32(p + 28);
/* unused header size field skipped */
sample_rate = AV_RL32(p + 36);
nb_channels = AV_RL32(p + 40);
overlap = AV_RL32(p + 48);
/* unused bytes per packet field skipped */
extra_headers = AV_RL32(p + 56);
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
st->codecpar->codec_id = AV_CODEC_ID_CELT;
st->codecpar->sample_rate = sample_rate;
st->codecpar->channels = nb_channels;
if (sample_rate)
avpriv_set_pts_info(st, 64, 1, sample_rate);
if (os->private) {
av_free(priv);
priv = os->private;
}
os->private = priv;
priv->extra_headers_left = 1 + extra_headers;
AV_WL32(st->codecpar->extradata + 0, overlap);
AV_WL32(st->codecpar->extradata + 4, version);
return 1;
} else if (priv && priv->extra_headers_left) {
/* Extra headers (vorbiscomment) */
ff_vorbis_stream_comment(s, st, p, os->psize);
priv->extra_headers_left--;
return 1;
} else {
return 0;
}
}
const struct ogg_codec ff_celt_codec = {
.magic = "CELT ",
.magicsize = 8,
.header = celt_header,
.nb_header = 2,
};