[MPlayer-cvslog] CVS: main/libmpdemux demux_real.c, 1.97, 1.98 demux_realaud.c, 1.15, 1.16
Roberto Togni CVS
syncmail at mplayerhq.hu
Sun May 14 17:51:07 CEST 2006
CVS change done by Roberto Togni CVS
Update of /cvsroot/mplayer/main/libmpdemux
In directory mail:/var2/tmp/cvs-serv24838
Modified Files:
demux_real.c demux_realaud.c
Log Message:
Fix some potential integer overflow in memory allocation (mot of these
were probably safe or disabled anyway)
Index: demux_real.c
===================================================================
RCS file: /cvsroot/mplayer/main/libmpdemux/demux_real.c,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- demux_real.c 11 May 2006 18:50:46 -0000 1.97
+++ demux_real.c 14 May 2006 15:51:05 -0000 1.98
@@ -407,7 +407,7 @@
for (i = 0; i < MAX_STREAMS; i++)
{
priv->index_table_size[i] = num_of_packets;
- priv->index_table[i] = malloc(priv->index_table_size[i] * sizeof(real_index_table_t));
+ priv->index_table[i] = calloc(priv->index_table_size[i], sizeof(real_index_table_t));
// priv->index_table[stream_id] = realloc(priv->index_table[stream_id],
// priv->index_table_size[stream_id] * sizeof(real_index_table_t));
}
@@ -1054,8 +1054,8 @@
demuxer->audio->id=stream_id;
sh->ds=demuxer->audio;
demuxer->audio->sh=sh;
- priv->audio_buf = malloc(priv->sub_packet_h[demuxer->audio->id] * priv->audiopk_size[demuxer->audio->id]);
- priv->audio_timestamp = malloc(priv->sub_packet_h[demuxer->audio->id] * sizeof(float));
+ priv->audio_buf = calloc(priv->sub_packet_h[demuxer->audio->id], priv->audiopk_size[demuxer->audio->id]);
+ priv->audio_timestamp = calloc(priv->sub_packet_h[demuxer->audio->id], sizeof(float));
mp_msg(MSGT_DEMUX,MSGL_V,"Auto-selected RM audio ID = %d\n",stream_id);
goto got_audio;
}
@@ -1416,6 +1416,11 @@
if (version==5)
stream_skip(demuxer->stream,1); // Skip 1 additional unknown byte
codecdata_length=stream_read_dword(demuxer->stream);
+ // Check extradata len, we can't store bigger values in cbSize anyway
+ if ((unsigned)codecdata_length > 0xffff) {
+ mp_msg(MSGT_DEMUX,MSGL_ERR,"Extradata too big (%d)\n", codecdata_length);
+ goto skip_this_chunk;
+ }
sh->wf->cbSize = codecdata_length;
sh->wf = realloc(sh->wf, sizeof(WAVEFORMATEX)+sh->wf->cbSize);
stream_read(demuxer->stream, ((char*)(sh->wf+1)), codecdata_length); // extras
@@ -1470,8 +1475,8 @@
demuxer->audio->id=stream_id;
sh->ds=demuxer->audio;
demuxer->audio->sh=sh;
- priv->audio_buf = malloc(priv->sub_packet_h[demuxer->audio->id] * priv->audiopk_size[demuxer->audio->id]);
- priv->audio_timestamp = malloc(priv->sub_packet_h[demuxer->audio->id] * sizeof(float));
+ priv->audio_buf = calloc(priv->sub_packet_h[demuxer->audio->id], priv->audiopk_size[demuxer->audio->id]);
+ priv->audio_timestamp = calloc(priv->sub_packet_h[demuxer->audio->id], sizeof(float));
}
++a_streams;
Index: demux_realaud.c
===================================================================
RCS file: /cvsroot/mplayer/main/libmpdemux/demux_realaud.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- demux_realaud.c 27 Mar 2006 17:25:41 -0000 1.15
+++ demux_realaud.c 14 May 2006 15:51:05 -0000 1.16
@@ -298,7 +298,7 @@
case FOURCC_288:
mp_msg(MSGT_DEMUX,MSGL_V,"Audio: 28_8\n");
sh->wf->nBlockAlign = ra_priv->coded_framesize;
- ra_priv->audio_buf = malloc(ra_priv->sub_packet_h * ra_priv->frame_size);
+ ra_priv->audio_buf = calloc(ra_priv->sub_packet_h, ra_priv->frame_size);
break;
case FOURCC_DNET:
mp_msg(MSGT_DEMUX,MSGL_V,"Audio: DNET -> AC3\n");
@@ -307,7 +307,7 @@
mp_msg(MSGT_DEMUX,MSGL_V,"Audio: SIPR\n");
sh->wf->nBlockAlign = ra_priv->coded_framesize;
sh->wf->nAvgBytesPerSec = sipr_fl2bps[ra_priv->codec_flavor];
- ra_priv->audio_buf = malloc(ra_priv->sub_packet_h * ra_priv->frame_size);
+ ra_priv->audio_buf = calloc(ra_priv->sub_packet_h, ra_priv->frame_size);
break;
default:
mp_msg(MSGT_DEMUX,MSGL_V,"Audio: Unknown (%d)\n", sh->format);
More information about the MPlayer-cvslog
mailing list