From: Andre Noll Date: Mon, 9 Aug 2010 22:15:04 +0000 (+0200) Subject: Fix an invalid-free-bug in the ogg audio format handler code. X-Git-Tag: v0.4.5~39 X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=commitdiff_plain;h=3f8c505afd85714f6f8c12d8a94ae642fbfb6de4 Fix an invalid-free-bug in the ogg audio format handler code. In process_ogg_packets(), if ogg_sync_pageout() fails, we jmp to the out label where "stream" is being freed by ogg_stream_clear() without being initialized. This causes para_afh and para_server to segfault in libogg: *** glibc detected *** para_afh: munmap_chunk(): invalid pointer: 0x6f890d42 *** ======= Backtrace: ========= /usr/lib/glibc/lib/libc.so.6(+0x66e5a)[0x6f712e5a] /usr/lib/glibc/lib/libc.so.6(+0x68021)[0x6f714021] /usr/local/lib/libogg.so.0(ogg_stream_clear+0x2f)[0x6f891adf] para_afh[0x804cb52] para_afh[0x804cbeb] para_afh[0x804ce59] para_afh[0x804be71] para_afh[0x804a97c] /usr/lib/glibc/lib/libc.so.6(__libc_start_main+0xd9)[0x6f6c2c79] para_afh[0x8049991] Fix this bug by returning the error code directly rather than jumping to "out". --- diff --git a/NEWS b/NEWS index 4669b78e..cb7ba06d 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,8 @@ 0.4.5 (to be announced) "symmetric randomization" ------------------------------------------------- + - Fix an invalid-free-bug in the ogg audio format handler code. + ------------------------------------------ 0.4.4 (2010-08-06) "persistent regularity" ------------------------------------------ diff --git a/ogg_afh_common.c b/ogg_afh_common.c index 353bc9bb..54e92956 100644 --- a/ogg_afh_common.c +++ b/ogg_afh_common.c @@ -64,9 +64,8 @@ static int process_ogg_packets(ogg_sync_state *oss, struct afh_info *afhi, ogg_page page; int ret; - ret = -E_SYNC_PAGEOUT; if (ogg_sync_pageout(oss, &page) != 1) - goto out; + return -E_SYNC_PAGEOUT; ret = ogg_page_serialno(&page); ogg_stream_init(&stream, ret);