Mercurial > mplayer.hg

diff libmpdemux/demux_real.c @ 18444:fa603193eccf

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix potential integer overflows in memory allocation. Patch by Reimar and me, SIZE_MAX by Rich
author rtognimp
date Thu, 11 May 2006 18:50:46 +0000
parents f72bc5754209
children 01b9f29c2fb5
line wrap: on
line diff
--- a/libmpdemux/demux_real.c	Thu May 11 15:39:43 2006 +0000
+++ b/libmpdemux/demux_real.c	Thu May 11 18:50:46 2006 +0000
@@ -122,6 +122,9 @@
     int audio_filepos; ///< file position of first audio packet in block
 } real_priv_t;
 
+//! use at most 200 MB of memory for index, corresponds to around 25 million entries
+#define MAX_INDEX_ENTRIES (200*1024*1024 / sizeof(real_index_table_t))
+
 /* originally from FFmpeg */
 static void get_str(int isbyte, demuxer_t *demuxer, char *buf, int buf_size)
 {
@@ -222,7 +225,7 @@
     
     next_header_pos = stream_read_dword(demuxer->stream);
     mp_msg(MSGT_DEMUX, MSGL_V,"next_header_pos: %d\n", next_header_pos);
-    if (entries <= 0)
+    if (entries <= 0 || entries > MAX_INDEX_ENTRIES)
     {
 	if (next_header_pos)
 	    goto read_index;
@@ -231,7 +234,7 @@
     }
 
     priv->index_table_size[stream_id] = entries;
-    priv->index_table[stream_id] = malloc(priv->index_table_size[stream_id] * sizeof(real_index_table_t));
+    priv->index_table[stream_id] = calloc(priv->index_table_size[stream_id], sizeof(real_index_table_t));
     
     for (i = 0; i < entries; i++)
     {
@@ -267,6 +270,10 @@
   {
     real_priv_t *priv = demuxer->priv;
     real_index_table_t *index;
+    if (priv->index_table_size[stream_id] >= MAX_INDEX_ENTRIES) {
+      mp_msg(MSGT_DEMUXER, MSGL_WARN, "Index too large during building\n");
+      return;
+    }
     if (priv->index_table_size[stream_id] >= priv->index_malloc_size[stream_id])
     {
       if (priv->index_malloc_size[stream_id] == 0)