matroskadec: pad EBML_BIN data.

It might be passed to code requiring padding, such as lzo decompression.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index f798342..764dbf8 100644 (file)
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -734,9 +734,11 @@ static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
 static int ebml_read_binary(AVIOContext *pb, int length, EbmlBin *bin)
 {
     av_free(bin->data);
-    if (!(bin->data = av_malloc(length)))
+    if (!(bin->data = av_malloc(length + FF_INPUT_BUFFER_PADDING_SIZE)))
         return AVERROR(ENOMEM);
 
+    memset(bin->data + length, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+
     bin->size = length;
     bin->pos  = avio_tell(pb);
     if (avio_read(pb, bin->data, length) != length) {