har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080.

Browse Source 
Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)

Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Michael Niedermayer 2011-07-28 14:59:54 +02:00 committed by Reinhard Tartler
parent a9a033773a
commit 77d2ef13a8
1 changed files with 29 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
libavformat/matroskadec.c
View File

@ -801,11 +801,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
uint32_t id = syntax->id;
uint64_t length;
int res;
void *newelem;
data = (char *)data + syntax->data_offset;
if (syntax->list_elem_size) {
EbmlList *list = data;
list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
if (!newelem)
return AVERROR(ENOMEM);
list->elem = newelem;
data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
memset(data, 0, syntax->list_elem_size);
list->nb_elem++;
@ -935,6 +939,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
uint8_t* data = *buf;
int isize = *buf_size;
uint8_t* pkt_data = NULL;
uint8_t* newpktdata;
int pkt_size = isize;
int result = 0;
int olen;
@ -964,7 +969,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
zstream.avail_in = isize;
do {
pkt_size *= 3;
pkt_data = av_realloc(pkt_data, pkt_size);
newpktdata = av_realloc(pkt_data, pkt_size);
if (!newpktdata) {
inflateEnd(&zstream);
goto failed;
}
pkt_data = newpktdata;
zstream.avail_out = pkt_size - zstream.total_out;
zstream.next_out = pkt_data + zstream.total_out;
result = inflate(&zstream, Z_NO_FLUSH);
@ -985,7 +995,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
bzstream.avail_in = isize;
do {
pkt_size *= 3;
pkt_data = av_realloc(pkt_data, pkt_size);
newpktdata = av_realloc(pkt_data, pkt_size);
if (!newpktdata) {
BZ2_bzDecompressEnd(&bzstream);
goto failed;
}
pkt_data = newpktdata;
bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
bzstream.next_out = pkt_data + bzstream.total_out_lo32;
result = BZ2_bzDecompress(&bzstream);
@ -1040,13 +1055,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
}
}
static void matroska_merge_packets(AVPacket *out, AVPacket *in)
static int matroska_merge_packets(AVPacket *out, AVPacket *in)
{
out->data = av_realloc(out->data, out->size+in->size);
void *newdata = av_realloc(out->data, out->size+in->size);
if (!newdata)
return AVERROR(ENOMEM);
out->data = newdata;
memcpy(out->data+out->size, in->data, in->size);
out->size += in->size;
av_destruct_packet(in);
av_free(in);
return 0;
}
static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
@ -1604,11 +1623,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
av_free(matroska->packets[0]);
if (matroska->num_packets > 1) {
void *newpackets;
memmove(&matroska->packets[0], &matroska->packets[1],
(matroska->num_packets - 1) * sizeof(AVPacket *));
matroska->packets =
av_realloc(matroska->packets, (matroska->num_packets - 1) *
sizeof(AVPacket *));
newpackets = av_realloc(matroska->packets,
(matroska->num_packets - 1) * sizeof(AVPacket *));
if (newpackets)
matroska->packets = newpackets;
} else {
av_freep(&matroska->packets);
}