From 3716e532eec96cf5c9277302f08ad89a1d6fb90f Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Sat, 2 Nov 2013 12:13:20 +0100 Subject: [PATCH] memory_c::resize(): fix write to behind allocated block If resizing down a non-free instance then we must copy at most as many bytes as the new size allows for. Fixes #931. --- ChangeLog | 6 ++++++ src/common/memory.cpp | 2 +- tests/results.txt | 1 + tests/test-413memory_resize_nonfree_smaller.rb | 5 +++++ 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100755 tests/test-413memory_resize_nonfree_smaller.rb diff --git a/ChangeLog b/ChangeLog index f0d3cff72..93f342b37 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2013-11-02 Moritz Bunkus + + * mkvmerge: bug fix: fixed accessing invalid memory in the memory + handling core routines. May be triggered by the code to remove + filler NALUs introduced in v6.5.0. Fixes #931. + 2013-10-26 Moritz Bunkus * mmg: bug fix: fixed the tracks list box on the input tab being diff --git a/src/common/memory.cpp b/src/common/memory.cpp index c618873e6..ef5ec7c49 100644 --- a/src/common/memory.cpp +++ b/src/common/memory.cpp @@ -29,7 +29,7 @@ memory_c::resize(size_t new_size) } else { X *tmp = (X *)safemalloc(new_size); - memcpy(tmp, its_counter->ptr + its_counter->offset, its_counter->size - its_counter->offset); + memcpy(tmp, its_counter->ptr + its_counter->offset, std::min(new_size, its_counter->size - its_counter->offset)); its_counter->ptr = tmp; its_counter->is_free = true; its_counter->size = new_size; diff --git a/tests/results.txt b/tests/results.txt index 5ea08fd5b..863db0116 100644 --- a/tests/results.txt +++ b/tests/results.txt @@ -258,3 +258,4 @@ T_409mux_vp9:fc1aae4cb828024783d254077ead7eb6-aa52fea93972a3294168417659dd8842:p T_410extract_vp9:b6135380fa07f827384ad1004015d79c:passed:20131019-200643:0.033861429 T_411ui_locale_pt_PT:7378e1146862dcb96f11caa91d33c5cb-3182bfa8c7ef57b56185285fbd614c98:passed:20131026-154124:0.073196901 T_412ui_locale_pl_PL:f84afd16653d395b33943ef722c63cfa-a4f512bdc00e1eab4d27a715174df149:passed:20131026-154845:0.077632905 +T_413memory_resize_nonfree_smaller:c1085152b4b60a197bf93d598d066924:passed:20131102-115507:0.066828215 diff --git a/tests/test-413memory_resize_nonfree_smaller.rb b/tests/test-413memory_resize_nonfree_smaller.rb new file mode 100755 index 000000000..3eba39c6c --- /dev/null +++ b/tests/test-413memory_resize_nonfree_smaller.rb @@ -0,0 +1,5 @@ +#!/usr/bin/ruby -w + +# T_413memory_resize_nonfree_smaller +describe "mkvmerge / memory_c::resize(), non-free, smaller block" +test_merge "data/mkv/h264-nonfree-remove-filler-nalu.mkv"