Mercurial > mplayer.hg
annotate loader/dmo/buffer.c @ 26267:430da0c9fcce
Fix possible integer overflow in malloc by using calloc instead.
Should fix CVE-2008-0073 as far as MPlayer is affected by this problem.
author | reimar |
---|---|
date | Sat, 29 Mar 2008 11:35:29 +0000 |
parents | 2c8cdb9123b8 |
children | 008338d7679f |
rev | line source |
---|---|
8294 | 1 #include "DMO_Filter.h" |
2 | |
3 #include "wine/winerror.h" | |
4 #include "wine/windef.h" | |
5 | |
6 #include <stdio.h> | |
7 #include <string.h> | |
8 #include <stdlib.h> | |
9 | |
25794
2c8cdb9123b8
Fix a ton of illegal identifiers. Identifiers starting with __ or _ and a
diego
parents:
8294
diff
changeset
|
10 struct CMediaBuffer |
8294 | 11 { |
12 IMediaBuffer_vt* vt; | |
13 DECLARE_IUNKNOWN(); | |
14 GUID interfaces[2]; | |
15 void* mem; | |
16 unsigned long len; | |
17 unsigned long maxlen; | |
18 int freemem; | |
19 }; | |
20 | |
21 static HRESULT STDCALL CMediaBuffer_SetLength(IMediaBuffer* This, | |
22 unsigned long cbLength) | |
23 { | |
24 CMediaBuffer* cmb = (CMediaBuffer*) This; | |
25 Debug printf("CMediaBuffer_SetLength(%p) called (%ld, %ld)\n", This, cbLength, cmb->maxlen); | |
26 if (cbLength > cmb->maxlen) | |
27 return E_INVALIDARG; | |
28 cmb->len = cbLength; | |
29 return S_OK; | |
30 } | |
31 | |
32 static HRESULT STDCALL CMediaBuffer_GetMaxLength(IMediaBuffer* This, | |
33 /* [out] */ unsigned long *pcbMaxLength) | |
34 { | |
35 CMediaBuffer* cmb = (CMediaBuffer*) This; | |
36 Debug printf("CMediaBuffer_GetMaxLength(%p) called -> %ld\n", This, cmb->maxlen); | |
37 if (!pcbMaxLength) | |
38 return E_POINTER; | |
39 *pcbMaxLength = cmb->maxlen; | |
40 return S_OK; | |
41 } | |
42 | |
43 static HRESULT STDCALL CMediaBuffer_GetBufferAndLength(IMediaBuffer* This, | |
44 /* [out] */ char** ppBuffer, | |
45 /* [out] */ unsigned long* pcbLength) | |
46 { | |
47 CMediaBuffer* cmb = (CMediaBuffer*) This; | |
48 Debug printf("CMediaBuffer_GetBufferAndLength(%p) called -> %p %ld\n", This, cmb->mem, cmb->len); | |
49 if (!ppBuffer && !pcbLength) | |
50 return E_POINTER; | |
51 if (ppBuffer) | |
52 *ppBuffer = cmb->mem; | |
53 if (pcbLength) | |
54 *pcbLength = cmb->len; | |
55 return S_OK; | |
56 } | |
57 | |
58 static void CMediaBuffer_Destroy(CMediaBuffer* This) | |
59 { | |
60 Debug printf("CMediaBuffer_Destroy(%p) called\n", This); | |
61 if (This->freemem) | |
62 free(This->mem); | |
63 free(This->vt); | |
64 free(This); | |
65 } | |
66 | |
67 IMPLEMENT_IUNKNOWN(CMediaBuffer) | |
68 | |
69 CMediaBuffer* CMediaBufferCreate(unsigned long maxlen, void* mem, | |
70 unsigned long len, int copy) | |
71 { | |
72 CMediaBuffer* This = (CMediaBuffer*) malloc(sizeof(CMediaBuffer)); | |
73 | |
74 if (!This) | |
75 return NULL; | |
76 | |
77 This->vt = (IMediaBuffer_vt*) malloc(sizeof(IMediaBuffer_vt)); | |
78 if (!This->vt) | |
79 { | |
80 CMediaBuffer_Destroy(This); | |
81 return NULL; | |
82 } | |
83 | |
84 This->refcount = 1; | |
85 This->len = len; | |
86 This->maxlen = maxlen; | |
87 This->freemem = 0; | |
88 This->mem = mem; | |
89 if (copy) | |
90 /* make a private copy of data */ | |
91 This->mem = 0; | |
92 if (This->mem == NULL) | |
93 { | |
94 if (This->maxlen) | |
95 { | |
96 This->mem = malloc(This->maxlen); | |
97 if (!This->mem) | |
98 { | |
99 CMediaBuffer_Destroy(This); | |
100 return NULL; | |
101 } | |
102 This->freemem = 1; | |
103 if (copy) | |
104 memcpy(This->mem, mem, This->len); | |
105 } | |
106 } | |
107 This->vt->QueryInterface = CMediaBuffer_QueryInterface; | |
108 This->vt->AddRef = CMediaBuffer_AddRef; | |
109 This->vt->Release = CMediaBuffer_Release; | |
110 | |
111 This->vt->SetLength = CMediaBuffer_SetLength; | |
112 This->vt->GetMaxLength = CMediaBuffer_GetMaxLength; | |
113 This->vt->GetBufferAndLength = CMediaBuffer_GetBufferAndLength; | |
114 | |
115 This->interfaces[0] = IID_IUnknown; | |
116 This->interfaces[1] = IID_IMediaBuffer; | |
117 | |
118 return This; | |
119 } |