Description: fix denial of service and possible code execution via malformed OGG Origin: upstream, http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd63c32ff6f6a24dc971a0bb2ca8f8a4f57e79da Bug: http://code.google.com/p/chromium/issues/detail?id=71788 diff -Nur ffmpeg-0.6/libavformat/oggdec.c ffmpeg-0.6.new/libavformat/oggdec.c --- ffmpeg-0.6/libavformat/oggdec.c 2010-05-23 22:09:36.000000000 -0400 +++ ffmpeg-0.6.new/libavformat/oggdec.c 2011-09-16 09:31:56.456351992 -0400 @@ -582,15 +582,15 @@ int64_t pos_limit) { struct ogg *ogg = s->priv_data; - struct ogg_stream *os = ogg->streams + stream_index; ByteIOContext *bc = s->pb; int64_t pts = AV_NOPTS_VALUE; - int i; + int i = -1; url_fseek(bc, *pos_arg, SEEK_SET); ogg_reset(ogg); while (url_ftell(bc) < pos_limit && !ogg_packet(s, &i, NULL, NULL, pos_arg)) { if (i == stream_index) { + struct ogg_stream *os = ogg->streams + stream_index; pts = ogg_calc_pts(s, i, NULL); if (os->keyframe_seek && !(os->pflags & AV_PKT_FLAG_KEY)) pts = AV_NOPTS_VALUE; @@ -615,6 +615,7 @@ os->keyframe_seek = 1; ret = av_seek_frame_binary(s, stream_index, timestamp, flags); + os = ogg->streams + stream_index; if (ret < 0) os->keyframe_seek = 0; return ret;