Fix an invalid-free-bug in the ogg audio format handler code.
authorAndre Noll <maan@systemlinux.org>
Mon, 9 Aug 2010 22:15:04 +0000 (00:15 +0200)
committerAndre Noll <maan@systemlinux.org>
Mon, 9 Aug 2010 22:15:04 +0000 (00:15 +0200)
In process_ogg_packets(), if ogg_sync_pageout() fails, we jmp to
the out label where "stream" is being freed by ogg_stream_clear()
without being initialized.

This causes para_afh and para_server to segfault in libogg:

*** glibc detected *** para_afh: munmap_chunk(): invalid pointer: 0x6f890d42 ***
======= Backtrace: =========
/usr/lib/glibc/lib/libc.so.6(+0x66e5a)[0x6f712e5a]
/usr/lib/glibc/lib/libc.so.6(+0x68021)[0x6f714021]
/usr/local/lib/libogg.so.0(ogg_stream_clear+0x2f)[0x6f891adf]
para_afh[0x804cb52]
para_afh[0x804cbeb]
para_afh[0x804ce59]
para_afh[0x804be71]
para_afh[0x804a97c]
/usr/lib/glibc/lib/libc.so.6(__libc_start_main+0xd9)[0x6f6c2c79]
para_afh[0x8049991]

Fix this bug by returning the error code directly rather than jumping
to "out".

NEWS
ogg_afh_common.c

diff --git a/NEWS b/NEWS
index 4669b78..cb7ba06 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@
 0.4.5 (to be announced) "symmetric randomization"
 -------------------------------------------------
 
+       - Fix an invalid-free-bug in the ogg audio format handler code.
+
 ------------------------------------------
 0.4.4 (2010-08-06) "persistent regularity"
 ------------------------------------------
index 353bc9b..54e9295 100644 (file)
@@ -64,9 +64,8 @@ static int process_ogg_packets(ogg_sync_state *oss, struct afh_info *afhi,
        ogg_page page;
        int ret;
 
-       ret = -E_SYNC_PAGEOUT;
        if (ogg_sync_pageout(oss, &page) != 1)
-               goto out;
+               return -E_SYNC_PAGEOUT;
 
        ret = ogg_page_serialno(&page);
        ogg_stream_init(&stream, ret);