From 1958f78cc1bd47ce1c9b57db41194f85aed942ab Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Mon, 26 Oct 2015 13:06:29 +0100 Subject: [PATCH] decoder/ffmpeg: fix crash due to wrong avio_alloc_context() call Allocate the buffer dynamically using av_malloc(), and free AVIOContext.buffer in the destructor, as mandated by the libavformat documentation. Fixes http://bugs.musicpd.org/view.php?id=4446 --- NEWS | 2 ++ src/decoder/plugins/FfmpegDecoderPlugin.cxx | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 9c44eaf0a..7b5d6df07 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ ver 0.19.11 (not yet released) * tags - ape: fix buffer overflow +* decoder + - ffmpeg: fix crash due to wrong avio_alloc_context() call * encoder - flac: fix crash with 32 bit playback diff --git a/src/decoder/plugins/FfmpegDecoderPlugin.cxx b/src/decoder/plugins/FfmpegDecoderPlugin.cxx index d5191a3c3..689089107 100644 --- a/src/decoder/plugins/FfmpegDecoderPlugin.cxx +++ b/src/decoder/plugins/FfmpegDecoderPlugin.cxx @@ -92,14 +92,14 @@ struct AvioStream { AVIOContext *io; - unsigned char buffer[8192]; - AvioStream(Decoder *_decoder, InputStream &_input) :decoder(_decoder), input(_input), io(nullptr) {} ~AvioStream() { - if (io != nullptr) + if (io != nullptr) { + av_free(io->buffer); av_free(io); + } } bool Open(); @@ -153,11 +153,20 @@ mpd_ffmpeg_stream_seek(void *opaque, int64_t pos, int whence) bool AvioStream::Open() { - io = avio_alloc_context(buffer, sizeof(buffer), + constexpr size_t BUFFER_SIZE = 8192; + auto buffer = (unsigned char *)av_malloc(BUFFER_SIZE); + if (buffer == nullptr) + return false; + + io = avio_alloc_context(buffer, BUFFER_SIZE, false, this, mpd_ffmpeg_stream_read, nullptr, input.IsSeekable() ? mpd_ffmpeg_stream_seek : nullptr); + /* If avio_alloc_context() fails, who frees the buffer? The + libavformat API documentation does not specify this, it + only says that AVIOContext.buffer must be freed in the end, + however no AVIOContext exists in that failure code path. */ return io != nullptr; }