File ffmpeg-CVE-2020-22016.patch of Package ffmpeg.35105
From 58aa0ed8f10753ee90f4a4a1f4f3da803cf7c145 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Wed, 25 Sep 2019 14:21:07 -0300
Subject: [PATCH] aformat/movenc: add missing padding to output track extradata
Fixes ticket #8183.
Tested-by: Thierry Foucu <tfoucu@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavformat/movenc.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index e095af0972..715bec1c2f 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -5378,12 +5378,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
!TAG_IS_AVCI(trk->tag) &&
(par->codec_id != AV_CODEC_ID_DNXHD)) {
trk->vos_len = par->extradata_size;
- trk->vos_data = av_malloc(trk->vos_len);
+ trk->vos_data = av_malloc(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE);
if (!trk->vos_data) {
ret = AVERROR(ENOMEM);
goto err;
}
memcpy(trk->vos_data, par->extradata, trk->vos_len);
+ memset(trk->vos_data + trk->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
}
if (par->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 &&
@@ -5461,12 +5462,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
par->codec_id == AV_CODEC_ID_AC3) && !trk->vos_len) {
/* copy frame to create needed atoms */
trk->vos_len = size;
- trk->vos_data = av_malloc(size);
+ trk->vos_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!trk->vos_data) {
ret = AVERROR(ENOMEM);
goto err;
}
memcpy(trk->vos_data, pkt->data, size);
+ memset(trk->vos_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
}
if (trk->entry >= trk->cluster_capacity) {
@@ -6091,12 +6093,13 @@ static int mov_create_dvd_sub_decoder_specific_info(MOVTrack *track,
cur += strspn(cur, "\n\r");
}
if (have_palette) {
- track->vos_data = av_malloc(16*4);
+ track->vos_data = av_malloc(16*4 + AV_INPUT_BUFFER_PADDING_SIZE);
if (!track->vos_data)
return AVERROR(ENOMEM);
for (i = 0; i < 16; i++) {
AV_WB32(track->vos_data + i * 4, palette[i]);
}
+ memset(track->vos_data + 16*4, 0, AV_INPUT_BUFFER_PADDING_SIZE);
track->vos_len = 16 * 4;
}
st->codecpar->width = width;
@@ -6454,11 +6457,12 @@ static int mov_write_header(AVFormatContext *s)
mov_create_dvd_sub_decoder_specific_info(track, st);
else if (!TAG_IS_AVCI(track->tag) && st->codecpar->codec_id != AV_CODEC_ID_DNXHD) {
track->vos_len = st->codecpar->extradata_size;
- track->vos_data = av_malloc(track->vos_len);
+ track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE);
if (!track->vos_data) {
return AVERROR(ENOMEM);
}
memcpy(track->vos_data, st->codecpar->extradata, track->vos_len);
+ memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
}
}
@@ -6714,10 +6718,11 @@ static int mov_write_trailer(AVFormatContext *s)
AVCodecParameters *par = track->par;
track->vos_len = par->extradata_size;
- track->vos_data = av_malloc(track->vos_len);
+ track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE);
if (!track->vos_data)
return AVERROR(ENOMEM);
memcpy(track->vos_data, par->extradata, track->vos_len);
+ memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE);
}
mov->need_rewrite_extradata = 0;
}
--
2.31.1