[FFmpeg-cvslog] Fix memory corruption in case of memory allocation	failure in av_probe_input_buffer ()
    Michael Niedermayer 
    git at videolan.org
       
    Wed Sep  7 15:16:26 CEST 2011
    
    
  
ffmpeg | branch: release/0.8 | Michael Niedermayer <michaelni at gmx.at> | Sat Aug 27 21:24:13 2011 +0200| [f5978250524f03364c4c67f14dab86db66f7a908] | committer: Michael Niedermayer
Fix memory corruption in case of memory allocation failure in av_probe_input_buffer()
Reported-by: Tanami Ohad
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 941bb552c6e08b40eb7d7842df19285cd650edd0)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f5978250524f03364c4c67f14dab86db66f7a908
---
 libavformat/utils.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 955aaa7..52b2ae9 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -524,13 +524,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
         probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
         int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
         int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
+        void *buftmp;
 
         if (probe_size < offset) {
             continue;
         }
 
         /* read probe data */
-        buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        if(!buftmp){
+            av_free(buf);
+            return AVERROR(ENOMEM);
+        }
+        buf=buftmp;
         if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
             /* fail if error was not end of file, otherwise, lower score */
             if (ret != AVERROR_EOF) {
    
    
More information about the ffmpeg-cvslog
mailing list