From 5ba32985fb58dd600d387c6a75b270772353f3f1 Mon Sep 17 00:00:00 2001
From: Moritz Bunkus <moritz@bunkus.org>
Date: Wed, 24 Sep 2008 18:59:14 +0000
Subject: [PATCH] Avoid invalid memory access: Overwriting m_unparsed_buffer
 before copying data from the cursor is bad. The old m_unparsed_buffer is
 still used in the cursor. Therefore the copy might read from just freed
 memory.

---
 src/common/dirac_common.cpp | 5 +++--
 src/common/vc1_common.cpp   | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/common/dirac_common.cpp b/src/common/dirac_common.cpp
index 842e54a7d..02e81d943 100644
--- a/src/common/dirac_common.cpp
+++ b/src/common/dirac_common.cpp
@@ -275,8 +275,9 @@ dirac::es_parser_c::add_bytes(unsigned char *buffer,
 
   int new_size = cursor.get_size() - previous_pos;
   if (0 != new_size) {
-    m_unparsed_buffer = memory_c::alloc(new_size);
-    cursor.copy(m_unparsed_buffer->get(), previous_pos, new_size);
+    memory_cptr new_unparsed_buffer = memory_c::alloc(new_size);
+    cursor.copy(new_unparsed_buffer->get(), previous_pos, new_size);
+    m_unparsed_buffer = new_unparsed_buffer;
 
   } else
     m_unparsed_buffer = memory_cptr(NULL);
diff --git a/src/common/vc1_common.cpp b/src/common/vc1_common.cpp
index 672eb7082..05a23ebea 100644
--- a/src/common/vc1_common.cpp
+++ b/src/common/vc1_common.cpp
@@ -334,8 +334,9 @@ vc1::es_parser_c::add_bytes(unsigned char *buffer,
 
   int new_size = cursor.get_size() - previous_pos;
   if (0 != new_size) {
-    m_unparsed_buffer = memory_c::alloc(new_size);
-    cursor.copy(m_unparsed_buffer->get(), previous_pos, new_size);
+    memory_cptr new_unparsed_buffer = memory_c::alloc(new_size);
+    cursor.copy(new_unparsed_buffer->get(), previous_pos, new_size);
+    m_unparsed_buffer = new_unparsed_buffer;
 
   } else
     m_unparsed_buffer = memory_cptr(NULL);