Mercurial > libavformat.hg
comparison utils.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
author | michael |
---|---|
date | Sat, 08 Jan 2005 14:21:33 +0000 |
parents | aff6e233426a |
children | 253b5292946a |
comparison
equal
deleted
inserted
replaced
638:5188094c6ec4 | 639:0b52743104ac |
---|---|
178 * @param size wanted payload size | 178 * @param size wanted payload size |
179 * @return 0 if OK. AVERROR_xxx otherwise. | 179 * @return 0 if OK. AVERROR_xxx otherwise. |
180 */ | 180 */ |
181 int av_new_packet(AVPacket *pkt, int size) | 181 int av_new_packet(AVPacket *pkt, int size) |
182 { | 182 { |
183 void *data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); | 183 void *data; |
184 if((unsigned)size > (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE) | |
185 return AVERROR_NOMEM; | |
186 data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); | |
184 if (!data) | 187 if (!data) |
185 return AVERROR_NOMEM; | 188 return AVERROR_NOMEM; |
186 memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE); | 189 memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE); |
187 | 190 |
188 av_init_packet(pkt); | 191 av_init_packet(pkt); |
198 { | 201 { |
199 if (pkt->destruct != av_destruct_packet) { | 202 if (pkt->destruct != av_destruct_packet) { |
200 uint8_t *data; | 203 uint8_t *data; |
201 /* we duplicate the packet and don't forget to put the padding | 204 /* we duplicate the packet and don't forget to put the padding |
202 again */ | 205 again */ |
206 if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE) | |
207 return AVERROR_NOMEM; | |
203 data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE); | 208 data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE); |
204 if (!data) { | 209 if (!data) { |
205 return AVERROR_NOMEM; | 210 return AVERROR_NOMEM; |
206 } | 211 } |
207 memcpy(data, pkt->data, pkt->size); | 212 memcpy(data, pkt->data, pkt->size); |
275 } | 280 } |
276 *rptr_ptr = rptr; | 281 *rptr_ptr = rptr; |
277 return 0; | 282 return 0; |
278 } | 283 } |
279 | 284 |
280 void fifo_realloc(FifoBuffer *f, int new_size){ | 285 void fifo_realloc(FifoBuffer *f, unsigned int new_size){ |
281 int old_size= f->end - f->buffer; | 286 unsigned int old_size= f->end - f->buffer; |
282 | 287 |
283 if(old_size < new_size){ | 288 if(old_size < new_size){ |
284 uint8_t *old= f->buffer; | 289 uint8_t *old= f->buffer; |
285 | 290 |
286 f->buffer= av_realloc(f->buffer, new_size); | 291 f->buffer= av_realloc(f->buffer, new_size); |
1005 int64_t pos, int64_t timestamp, int distance, int flags) | 1010 int64_t pos, int64_t timestamp, int distance, int flags) |
1006 { | 1011 { |
1007 AVIndexEntry *entries, *ie; | 1012 AVIndexEntry *entries, *ie; |
1008 int index; | 1013 int index; |
1009 | 1014 |
1015 if((unsigned)st->nb_index_entries + 1 >= UINT_MAX / sizeof(AVIndexEntry)) | |
1016 return -1; | |
1017 | |
1010 entries = av_fast_realloc(st->index_entries, | 1018 entries = av_fast_realloc(st->index_entries, |
1011 &st->index_entries_allocated_size, | 1019 &st->index_entries_allocated_size, |
1012 (st->nb_index_entries + 1) * | 1020 (st->nb_index_entries + 1) * |
1013 sizeof(AVIndexEntry)); | 1021 sizeof(AVIndexEntry)); |
1022 if(!entries) | |
1023 return -1; | |
1024 | |
1014 st->index_entries= entries; | 1025 st->index_entries= entries; |
1015 | 1026 |
1016 index= av_index_search_timestamp(st, timestamp, 0); | 1027 index= av_index_search_timestamp(st, timestamp, 0); |
1017 | 1028 |
1018 if(index<0){ | 1029 if(index<0){ |