memory_c::resize(): fix write to behind allocated block

If resizing down a non-free instance then we must copy at most as many
bytes as the new size allows for. Fixes #931.
This commit is contained in:
Moritz Bunkus 2013-11-02 12:13:20 +01:00
parent 383e587515
commit 3716e532ee
4 changed files with 13 additions and 1 deletions

View File

@ -1,3 +1,9 @@
2013-11-02 Moritz Bunkus <moritz@bunkus.org>
* mkvmerge: bug fix: fixed accessing invalid memory in the memory
handling core routines. May be triggered by the code to remove
filler NALUs introduced in v6.5.0. Fixes #931.
2013-10-26 Moritz Bunkus <moritz@bunkus.org>
* mmg: bug fix: fixed the tracks list box on the input tab being

View File

@ -29,7 +29,7 @@ memory_c::resize(size_t new_size)
} else {
X *tmp = (X *)safemalloc(new_size);
memcpy(tmp, its_counter->ptr + its_counter->offset, its_counter->size - its_counter->offset);
memcpy(tmp, its_counter->ptr + its_counter->offset, std::min(new_size, its_counter->size - its_counter->offset));
its_counter->ptr = tmp;
its_counter->is_free = true;
its_counter->size = new_size;

View File

@ -258,3 +258,4 @@ T_409mux_vp9:fc1aae4cb828024783d254077ead7eb6-aa52fea93972a3294168417659dd8842:p
T_410extract_vp9:b6135380fa07f827384ad1004015d79c:passed:20131019-200643:0.033861429
T_411ui_locale_pt_PT:7378e1146862dcb96f11caa91d33c5cb-3182bfa8c7ef57b56185285fbd614c98:passed:20131026-154124:0.073196901
T_412ui_locale_pl_PL:f84afd16653d395b33943ef722c63cfa-a4f512bdc00e1eab4d27a715174df149:passed:20131026-154845:0.077632905
T_413memory_resize_nonfree_smaller:c1085152b4b60a197bf93d598d066924:passed:20131102-115507:0.066828215

View File

@ -0,0 +1,5 @@
#!/usr/bin/ruby -w
# T_413memory_resize_nonfree_smaller
describe "mkvmerge / memory_c::resize(), non-free, smaller block"
test_merge "data/mkv/h264-nonfree-remove-filler-nalu.mkv"