Mercurial > libavformat.hg

comparison utils.c @ 639:0b52743104ac libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
integer overflows, heap corruption possible arbitrary code execution cannot be ruled out in some cases precautionary checks
author michael
date Sat, 08 Jan 2005 14:21:33 +0000
parents aff6e233426a
children 253b5292946a
comparison
equal deleted inserted replaced
638:5188094c6ec4 639:0b52743104ac
178 * @param size wanted payload size 178 * @param size wanted payload size
179 * @return 0 if OK. AVERROR_xxx otherwise. 179 * @return 0 if OK. AVERROR_xxx otherwise.
180 */ 180 */
181 int av_new_packet(AVPacket *pkt, int size) 181 int av_new_packet(AVPacket *pkt, int size)
182 { 182 {
183 void *data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); 183 void *data;
184 if((unsigned)size > (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE)
185 return AVERROR_NOMEM;
186 data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
184 if (!data) 187 if (!data)
185 return AVERROR_NOMEM; 188 return AVERROR_NOMEM;
186 memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE); 189 memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
187 190
188 av_init_packet(pkt); 191 av_init_packet(pkt);
198 { 201 {
199 if (pkt->destruct != av_destruct_packet) { 202 if (pkt->destruct != av_destruct_packet) {
200 uint8_t *data; 203 uint8_t *data;
201 /* we duplicate the packet and don't forget to put the padding 204 /* we duplicate the packet and don't forget to put the padding
202 again */ 205 again */
206 if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE)
207 return AVERROR_NOMEM;
203 data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE); 208 data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE);
204 if (!data) { 209 if (!data) {
205 return AVERROR_NOMEM; 210 return AVERROR_NOMEM;
206 } 211 }
207 memcpy(data, pkt->data, pkt->size); 212 memcpy(data, pkt->data, pkt->size);
275 } 280 }
276 *rptr_ptr = rptr; 281 *rptr_ptr = rptr;
277 return 0; 282 return 0;
278 } 283 }
279 284
280 void fifo_realloc(FifoBuffer *f, int new_size){ 285 void fifo_realloc(FifoBuffer *f, unsigned int new_size){
281 int old_size= f->end - f->buffer; 286 unsigned int old_size= f->end - f->buffer;
282 287
283 if(old_size < new_size){ 288 if(old_size < new_size){
284 uint8_t *old= f->buffer; 289 uint8_t *old= f->buffer;
285 290
286 f->buffer= av_realloc(f->buffer, new_size); 291 f->buffer= av_realloc(f->buffer, new_size);
1005 int64_t pos, int64_t timestamp, int distance, int flags) 1010 int64_t pos, int64_t timestamp, int distance, int flags)
1006 { 1011 {
1007 AVIndexEntry *entries, *ie; 1012 AVIndexEntry *entries, *ie;
1008 int index; 1013 int index;
1009 1014
1015 if((unsigned)st->nb_index_entries + 1 >= UINT_MAX / sizeof(AVIndexEntry))
1016 return -1;
1017
1010 entries = av_fast_realloc(st->index_entries, 1018 entries = av_fast_realloc(st->index_entries,
1011 &st->index_entries_allocated_size, 1019 &st->index_entries_allocated_size,
1012 (st->nb_index_entries + 1) * 1020 (st->nb_index_entries + 1) *
1013 sizeof(AVIndexEntry)); 1021 sizeof(AVIndexEntry));
1022 if(!entries)
1023 return -1;
1024
1014 st->index_entries= entries; 1025 st->index_entries= entries;
1015 1026
1016 index= av_index_search_timestamp(st, timestamp, 0); 1027 index= av_index_search_timestamp(st, timestamp, 0);
1017 1028
1018 if(index<0){ 1029 if(index<0){