Mercurial > mplayer.hg
comparison libmpdemux/demux_real.c @ 18444:fa603193eccf
Fix potential integer overflows in memory allocation. Patch by Reimar and me, SIZE_MAX by Rich
| author | rtognimp |
|---|---|
| date | Thu, 11 May 2006 18:50:46 +0000 |
| parents | f72bc5754209 |
| children | 01b9f29c2fb5 |
comparison
equal
deleted
inserted
replaced
| 18443:1bcd97461b7b | 18444:fa603193eccf |
|---|---|
| 120 float *audio_timestamp; ///< timestamp for each audio packet | 120 float *audio_timestamp; ///< timestamp for each audio packet |
| 121 int sub_packet_cnt; ///< number of subpacket already received | 121 int sub_packet_cnt; ///< number of subpacket already received |
| 122 int audio_filepos; ///< file position of first audio packet in block | 122 int audio_filepos; ///< file position of first audio packet in block |
| 123 } real_priv_t; | 123 } real_priv_t; |
| 124 | 124 |
| 125 //! use at most 200 MB of memory for index, corresponds to around 25 million entries | |
| 126 #define MAX_INDEX_ENTRIES (200*1024*1024 / sizeof(real_index_table_t)) | |
| 127 | |
| 125 /* originally from FFmpeg */ | 128 /* originally from FFmpeg */ |
| 126 static void get_str(int isbyte, demuxer_t *demuxer, char *buf, int buf_size) | 129 static void get_str(int isbyte, demuxer_t *demuxer, char *buf, int buf_size) |
| 127 { | 130 { |
| 128 int len; | 131 int len; |
| 129 | 132 |
| 220 stream_id = stream_read_word(demuxer->stream); | 223 stream_id = stream_read_word(demuxer->stream); |
| 221 mp_msg(MSGT_DEMUX, MSGL_V,"stream_id: %d\n", stream_id); | 224 mp_msg(MSGT_DEMUX, MSGL_V,"stream_id: %d\n", stream_id); |
| 222 | 225 |
| 223 next_header_pos = stream_read_dword(demuxer->stream); | 226 next_header_pos = stream_read_dword(demuxer->stream); |
| 224 mp_msg(MSGT_DEMUX, MSGL_V,"next_header_pos: %d\n", next_header_pos); | 227 mp_msg(MSGT_DEMUX, MSGL_V,"next_header_pos: %d\n", next_header_pos); |
| 225 if (entries <= 0) | 228 if (entries <= 0 || entries > MAX_INDEX_ENTRIES) |
| 226 { | 229 { |
| 227 if (next_header_pos) | 230 if (next_header_pos) |
| 228 goto read_index; | 231 goto read_index; |
| 229 i = entries; | 232 i = entries; |
| 230 goto end; | 233 goto end; |
| 231 } | 234 } |
| 232 | 235 |
| 233 priv->index_table_size[stream_id] = entries; | 236 priv->index_table_size[stream_id] = entries; |
| 234 priv->index_table[stream_id] = malloc(priv->index_table_size[stream_id] * sizeof(real_index_table_t)); | 237 priv->index_table[stream_id] = calloc(priv->index_table_size[stream_id], sizeof(real_index_table_t)); |
| 235 | 238 |
| 236 for (i = 0; i < entries; i++) | 239 for (i = 0; i < entries; i++) |
| 237 { | 240 { |
| 238 stream_skip(demuxer->stream, 2); /* version */ | 241 stream_skip(demuxer->stream, 2); /* version */ |
| 239 priv->index_table[stream_id][i].timestamp = stream_read_dword(demuxer->stream); | 242 priv->index_table[stream_id][i].timestamp = stream_read_dword(demuxer->stream); |
| 265 { | 268 { |
| 266 if ((unsigned)stream_id < MAX_STREAMS) | 269 if ((unsigned)stream_id < MAX_STREAMS) |
| 267 { | 270 { |
| 268 real_priv_t *priv = demuxer->priv; | 271 real_priv_t *priv = demuxer->priv; |
| 269 real_index_table_t *index; | 272 real_index_table_t *index; |
| 273 if (priv->index_table_size[stream_id] >= MAX_INDEX_ENTRIES) { | |
| 274 mp_msg(MSGT_DEMUXER, MSGL_WARN, "Index too large during building\n"); | |
| 275 return; | |
| 276 } | |
| 270 if (priv->index_table_size[stream_id] >= priv->index_malloc_size[stream_id]) | 277 if (priv->index_table_size[stream_id] >= priv->index_malloc_size[stream_id]) |
| 271 { | 278 { |
| 272 if (priv->index_malloc_size[stream_id] == 0) | 279 if (priv->index_malloc_size[stream_id] == 0) |
| 273 priv->index_malloc_size[stream_id] = 2048; | 280 priv->index_malloc_size[stream_id] = 2048; |
| 274 else | 281 else |