diff --git a/NEWS b/NEWS index 9c44eaf0a..7b5d6df07 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ ver 0.19.11 (not yet released) * tags - ape: fix buffer overflow +* decoder + - ffmpeg: fix crash due to wrong avio_alloc_context() call * encoder - flac: fix crash with 32 bit playback diff --git a/src/decoder/plugins/FfmpegDecoderPlugin.cxx b/src/decoder/plugins/FfmpegDecoderPlugin.cxx index d5191a3c3..689089107 100644 --- a/src/decoder/plugins/FfmpegDecoderPlugin.cxx +++ b/src/decoder/plugins/FfmpegDecoderPlugin.cxx @@ -92,14 +92,14 @@ struct AvioStream { AVIOContext *io; - unsigned char buffer[8192]; - AvioStream(Decoder *_decoder, InputStream &_input) :decoder(_decoder), input(_input), io(nullptr) {} ~AvioStream() { - if (io != nullptr) + if (io != nullptr) { + av_free(io->buffer); av_free(io); + } } bool Open(); @@ -153,11 +153,20 @@ mpd_ffmpeg_stream_seek(void *opaque, int64_t pos, int whence) bool AvioStream::Open() { - io = avio_alloc_context(buffer, sizeof(buffer), + constexpr size_t BUFFER_SIZE = 8192; + auto buffer = (unsigned char *)av_malloc(BUFFER_SIZE); + if (buffer == nullptr) + return false; + + io = avio_alloc_context(buffer, BUFFER_SIZE, false, this, mpd_ffmpeg_stream_read, nullptr, input.IsSeekable() ? mpd_ffmpeg_stream_seek : nullptr); + /* If avio_alloc_context() fails, who frees the buffer? The + libavformat API documentation does not specify this, it + only says that AVIOContext.buffer must be freed in the end, + however no AVIOContext exists in that failure code path. */ return io != nullptr; }