Mercurial > mplayer.hg
comparison libmpdemux/demux_real.c @ 18444:fa603193eccf
Fix potential integer overflows in memory allocation. Patch by Reimar and me, SIZE_MAX by Rich
author | rtognimp |
---|---|
date | Thu, 11 May 2006 18:50:46 +0000 |
parents | f72bc5754209 |
children | 01b9f29c2fb5 |
comparison
equal
deleted
inserted
replaced
18443:1bcd97461b7b | 18444:fa603193eccf |
---|---|
120 float *audio_timestamp; ///< timestamp for each audio packet | 120 float *audio_timestamp; ///< timestamp for each audio packet |
121 int sub_packet_cnt; ///< number of subpacket already received | 121 int sub_packet_cnt; ///< number of subpacket already received |
122 int audio_filepos; ///< file position of first audio packet in block | 122 int audio_filepos; ///< file position of first audio packet in block |
123 } real_priv_t; | 123 } real_priv_t; |
124 | 124 |
125 //! use at most 200 MB of memory for index, corresponds to around 25 million entries | |
126 #define MAX_INDEX_ENTRIES (200*1024*1024 / sizeof(real_index_table_t)) | |
127 | |
125 /* originally from FFmpeg */ | 128 /* originally from FFmpeg */ |
126 static void get_str(int isbyte, demuxer_t *demuxer, char *buf, int buf_size) | 129 static void get_str(int isbyte, demuxer_t *demuxer, char *buf, int buf_size) |
127 { | 130 { |
128 int len; | 131 int len; |
129 | 132 |
220 stream_id = stream_read_word(demuxer->stream); | 223 stream_id = stream_read_word(demuxer->stream); |
221 mp_msg(MSGT_DEMUX, MSGL_V,"stream_id: %d\n", stream_id); | 224 mp_msg(MSGT_DEMUX, MSGL_V,"stream_id: %d\n", stream_id); |
222 | 225 |
223 next_header_pos = stream_read_dword(demuxer->stream); | 226 next_header_pos = stream_read_dword(demuxer->stream); |
224 mp_msg(MSGT_DEMUX, MSGL_V,"next_header_pos: %d\n", next_header_pos); | 227 mp_msg(MSGT_DEMUX, MSGL_V,"next_header_pos: %d\n", next_header_pos); |
225 if (entries <= 0) | 228 if (entries <= 0 || entries > MAX_INDEX_ENTRIES) |
226 { | 229 { |
227 if (next_header_pos) | 230 if (next_header_pos) |
228 goto read_index; | 231 goto read_index; |
229 i = entries; | 232 i = entries; |
230 goto end; | 233 goto end; |
231 } | 234 } |
232 | 235 |
233 priv->index_table_size[stream_id] = entries; | 236 priv->index_table_size[stream_id] = entries; |
234 priv->index_table[stream_id] = malloc(priv->index_table_size[stream_id] * sizeof(real_index_table_t)); | 237 priv->index_table[stream_id] = calloc(priv->index_table_size[stream_id], sizeof(real_index_table_t)); |
235 | 238 |
236 for (i = 0; i < entries; i++) | 239 for (i = 0; i < entries; i++) |
237 { | 240 { |
238 stream_skip(demuxer->stream, 2); /* version */ | 241 stream_skip(demuxer->stream, 2); /* version */ |
239 priv->index_table[stream_id][i].timestamp = stream_read_dword(demuxer->stream); | 242 priv->index_table[stream_id][i].timestamp = stream_read_dword(demuxer->stream); |
265 { | 268 { |
266 if ((unsigned)stream_id < MAX_STREAMS) | 269 if ((unsigned)stream_id < MAX_STREAMS) |
267 { | 270 { |
268 real_priv_t *priv = demuxer->priv; | 271 real_priv_t *priv = demuxer->priv; |
269 real_index_table_t *index; | 272 real_index_table_t *index; |
273 if (priv->index_table_size[stream_id] >= MAX_INDEX_ENTRIES) { | |
274 mp_msg(MSGT_DEMUXER, MSGL_WARN, "Index too large during building\n"); | |
275 return; | |
276 } | |
270 if (priv->index_table_size[stream_id] >= priv->index_malloc_size[stream_id]) | 277 if (priv->index_table_size[stream_id] >= priv->index_malloc_size[stream_id]) |
271 { | 278 { |
272 if (priv->index_malloc_size[stream_id] == 0) | 279 if (priv->index_malloc_size[stream_id] == 0) |
273 priv->index_malloc_size[stream_id] = 2048; | 280 priv->index_malloc_size[stream_id] = 2048; |
274 else | 281 else |