Mercurial > libavcodec.hg
comparison h264_mp4toannexb_bsf.c @ 11858:fb5a6e98aa1c libavcodec
Sanitize av_realloc() use in h264 mp4toannexb bistream filter.
| author | benoit |
|---|---|
| date | Thu, 10 Jun 2010 05:59:22 +0000 |
| parents | e1e986bb64d0 |
| children | f533ea0b236f |
comparison
equal
deleted
inserted
replaced
| 11857:e1e986bb64d0 | 11858:fb5a6e98aa1c |
|---|---|
| 26 uint8_t length_size; | 26 uint8_t length_size; |
| 27 uint8_t first_idr; | 27 uint8_t first_idr; |
| 28 int extradata_parsed; | 28 int extradata_parsed; |
| 29 } H264BSFContext; | 29 } H264BSFContext; |
| 30 | 30 |
| 31 static void alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size, | 31 static int alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size, |
| 32 const uint8_t *sps_pps, uint32_t sps_pps_size, | 32 const uint8_t *sps_pps, uint32_t sps_pps_size, |
| 33 const uint8_t *in, uint32_t in_size) { | 33 const uint8_t *in, uint32_t in_size) { |
| 34 uint32_t offset = *poutbuf_size; | 34 uint32_t offset = *poutbuf_size; |
| 35 uint8_t nal_header_size = offset ? 3 : 4; | 35 uint8_t nal_header_size = offset ? 3 : 4; |
| 36 void *tmp; | |
| 36 | 37 |
| 37 *poutbuf_size += sps_pps_size+in_size+nal_header_size; | 38 *poutbuf_size += sps_pps_size+in_size+nal_header_size; |
| 38 *poutbuf = av_realloc(*poutbuf, *poutbuf_size); | 39 tmp = av_realloc(*poutbuf, *poutbuf_size); |
| 40 if (!tmp) | |
| 41 return AVERROR(ENOMEM); | |
| 42 *poutbuf = tmp; | |
| 39 if (sps_pps) | 43 if (sps_pps) |
| 40 memcpy(*poutbuf+offset, sps_pps, sps_pps_size); | 44 memcpy(*poutbuf+offset, sps_pps, sps_pps_size); |
| 41 memcpy(*poutbuf+sps_pps_size+nal_header_size+offset, in, in_size); | 45 memcpy(*poutbuf+sps_pps_size+nal_header_size+offset, in, in_size); |
| 42 if (!offset) | 46 if (!offset) |
| 43 AV_WB32(*poutbuf+sps_pps_size, 1); | 47 AV_WB32(*poutbuf+sps_pps_size, 1); |
| 44 else { | 48 else { |
| 45 (*poutbuf+offset+sps_pps_size)[0] = (*poutbuf+offset+sps_pps_size)[1] = 0; | 49 (*poutbuf+offset+sps_pps_size)[0] = (*poutbuf+offset+sps_pps_size)[1] = 0; |
| 46 (*poutbuf+offset+sps_pps_size)[2] = 1; | 50 (*poutbuf+offset+sps_pps_size)[2] = 1; |
| 47 } | 51 } |
| 52 | |
| 53 return 0; | |
| 48 } | 54 } |
| 49 | 55 |
| 50 static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, | 56 static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, |
| 51 AVCodecContext *avctx, const char *args, | 57 AVCodecContext *avctx, const char *args, |
| 52 uint8_t **poutbuf, int *poutbuf_size, | 58 uint8_t **poutbuf, int *poutbuf_size, |
| 83 if (!unit_nb) { | 89 if (!unit_nb) { |
| 84 unit_nb = *extradata++; /* number of pps unit(s) */ | 90 unit_nb = *extradata++; /* number of pps unit(s) */ |
| 85 sps_done++; | 91 sps_done++; |
| 86 } | 92 } |
| 87 while (unit_nb--) { | 93 while (unit_nb--) { |
| 94 void *tmp; | |
| 95 | |
| 88 unit_size = AV_RB16(extradata); | 96 unit_size = AV_RB16(extradata); |
| 89 total_size += unit_size+4; | 97 total_size += unit_size+4; |
| 90 if (total_size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE || extradata+2+unit_size > avctx->extradata+avctx->extradata_size) { | 98 if (total_size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE || extradata+2+unit_size > avctx->extradata+avctx->extradata_size) { |
| 91 av_free(out); | 99 av_free(out); |
| 92 return AVERROR(EINVAL); | 100 return AVERROR(EINVAL); |
| 93 } | 101 } |
| 94 out = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE); | 102 tmp = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE); |
| 95 if (!out) | 103 if (!tmp) { |
| 104 av_free(out); | |
| 96 return AVERROR(ENOMEM); | 105 return AVERROR(ENOMEM); |
| 106 } | |
| 107 out = tmp; | |
| 97 memcpy(out+total_size-unit_size-4, nalu_header, 4); | 108 memcpy(out+total_size-unit_size-4, nalu_header, 4); |
| 98 memcpy(out+total_size-unit_size, extradata+2, unit_size); | 109 memcpy(out+total_size-unit_size, extradata+2, unit_size); |
| 99 extradata += 2+unit_size; | 110 extradata += 2+unit_size; |
| 100 | 111 |
| 101 if (!unit_nb && !sps_done++) | 112 if (!unit_nb && !sps_done++) |
| 129 if (buf + nal_size > buf_end || nal_size < 0) | 140 if (buf + nal_size > buf_end || nal_size < 0) |
| 130 goto fail; | 141 goto fail; |
| 131 | 142 |
| 132 /* prepend only to the first type 5 NAL unit of an IDR picture */ | 143 /* prepend only to the first type 5 NAL unit of an IDR picture */ |
| 133 if (ctx->first_idr && unit_type == 5) { | 144 if (ctx->first_idr && unit_type == 5) { |
| 134 alloc_and_copy(poutbuf, poutbuf_size, | 145 if (alloc_and_copy(poutbuf, poutbuf_size, |
| 135 avctx->extradata, avctx->extradata_size, | 146 avctx->extradata, avctx->extradata_size, |
| 136 buf, nal_size); | 147 buf, nal_size) < 0) |
| 148 goto fail; | |
| 137 ctx->first_idr = 0; | 149 ctx->first_idr = 0; |
| 138 } | 150 } |
| 139 else { | 151 else { |
| 140 alloc_and_copy(poutbuf, poutbuf_size, | 152 if (alloc_and_copy(poutbuf, poutbuf_size, |
| 141 NULL, 0, | 153 NULL, 0, |
| 142 buf, nal_size); | 154 buf, nal_size) < 0) |
| 155 goto fail; | |
| 143 if (!ctx->first_idr && unit_type == 1) | 156 if (!ctx->first_idr && unit_type == 1) |
| 144 ctx->first_idr = 1; | 157 ctx->first_idr = 1; |
| 145 } | 158 } |
| 146 | 159 |
| 147 buf += nal_size; | 160 buf += nal_size; |