From 3f8c505afd85714f6f8c12d8a94ae642fbfb6de4 Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Tue, 10 Aug 2010 00:15:04 +0200 Subject: [PATCH] Fix an invalid-free-bug in the ogg audio format handler code. In process_ogg_packets(), if ogg_sync_pageout() fails, we jmp to the out label where "stream" is being freed by ogg_stream_clear() without being initialized. This causes para_afh and para_server to segfault in libogg: *** glibc detected *** para_afh: munmap_chunk(): invalid pointer: 0x6f890d42 *** ======= Backtrace: ========= /usr/lib/glibc/lib/libc.so.6(+0x66e5a)[0x6f712e5a] /usr/lib/glibc/lib/libc.so.6(+0x68021)[0x6f714021] /usr/local/lib/libogg.so.0(ogg_stream_clear+0x2f)[0x6f891adf] para_afh[0x804cb52] para_afh[0x804cbeb] para_afh[0x804ce59] para_afh[0x804be71] para_afh[0x804a97c] /usr/lib/glibc/lib/libc.so.6(__libc_start_main+0xd9)[0x6f6c2c79] para_afh[0x8049991] Fix this bug by returning the error code directly rather than jumping to "out". --- NEWS | 2 ++ ogg_afh_common.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 4669b78e..cb7ba06d 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,8 @@ 0.4.5 (to be announced) "symmetric randomization" ------------------------------------------------- + - Fix an invalid-free-bug in the ogg audio format handler code. + ------------------------------------------ 0.4.4 (2010-08-06) "persistent regularity" ------------------------------------------ diff --git a/ogg_afh_common.c b/ogg_afh_common.c index 353bc9bb..54e92956 100644 --- a/ogg_afh_common.c +++ b/ogg_afh_common.c @@ -64,9 +64,8 @@ static int process_ogg_packets(ogg_sync_state *oss, struct afh_info *afhi, ogg_page page; int ret; - ret = -E_SYNC_PAGEOUT; if (ogg_sync_pageout(oss, &page) != 1) - goto out; + return -E_SYNC_PAGEOUT; ret = ogg_page_serialno(&page); ogg_stream_init(&stream, ret); -- 2.39.2