# HG changeset patch # User rtognimp # Date 1147621865 0 # Node ID 01b9f29c2fb51cddb9b6d16513c3dc318bb2bc90 # Parent eca613999d6c12317ef1c4321d1342882b183e21 Fix some potential integer overflow in memory allocation (mot of these were probably safe or disabled anyway) diff -r eca613999d6c -r 01b9f29c2fb5 libmpdemux/demux_real.c --- a/libmpdemux/demux_real.c Sun May 14 13:39:52 2006 +0000 +++ b/libmpdemux/demux_real.c Sun May 14 15:51:05 2006 +0000 @@ -407,7 +407,7 @@ for (i = 0; i < MAX_STREAMS; i++) { priv->index_table_size[i] = num_of_packets; - priv->index_table[i] = malloc(priv->index_table_size[i] * sizeof(real_index_table_t)); + priv->index_table[i] = calloc(priv->index_table_size[i], sizeof(real_index_table_t)); // priv->index_table[stream_id] = realloc(priv->index_table[stream_id], // priv->index_table_size[stream_id] * sizeof(real_index_table_t)); } @@ -1054,8 +1054,8 @@ demuxer->audio->id=stream_id; sh->ds=demuxer->audio; demuxer->audio->sh=sh; - priv->audio_buf = malloc(priv->sub_packet_h[demuxer->audio->id] * priv->audiopk_size[demuxer->audio->id]); - priv->audio_timestamp = malloc(priv->sub_packet_h[demuxer->audio->id] * sizeof(float)); + priv->audio_buf = calloc(priv->sub_packet_h[demuxer->audio->id], priv->audiopk_size[demuxer->audio->id]); + priv->audio_timestamp = calloc(priv->sub_packet_h[demuxer->audio->id], sizeof(float)); mp_msg(MSGT_DEMUX,MSGL_V,"Auto-selected RM audio ID = %d\n",stream_id); goto got_audio; } @@ -1416,6 +1416,11 @@ if (version==5) stream_skip(demuxer->stream,1); // Skip 1 additional unknown byte codecdata_length=stream_read_dword(demuxer->stream); + // Check extradata len, we can't store bigger values in cbSize anyway + if ((unsigned)codecdata_length > 0xffff) { + mp_msg(MSGT_DEMUX,MSGL_ERR,"Extradata too big (%d)\n", codecdata_length); + goto skip_this_chunk; + } sh->wf->cbSize = codecdata_length; sh->wf = realloc(sh->wf, sizeof(WAVEFORMATEX)+sh->wf->cbSize); stream_read(demuxer->stream, ((char*)(sh->wf+1)), codecdata_length); // extras @@ -1470,8 +1475,8 @@ demuxer->audio->id=stream_id; sh->ds=demuxer->audio; demuxer->audio->sh=sh; - priv->audio_buf = malloc(priv->sub_packet_h[demuxer->audio->id] * priv->audiopk_size[demuxer->audio->id]); - priv->audio_timestamp = malloc(priv->sub_packet_h[demuxer->audio->id] * sizeof(float)); + priv->audio_buf = calloc(priv->sub_packet_h[demuxer->audio->id], priv->audiopk_size[demuxer->audio->id]); + priv->audio_timestamp = calloc(priv->sub_packet_h[demuxer->audio->id], sizeof(float)); } ++a_streams; diff -r eca613999d6c -r 01b9f29c2fb5 libmpdemux/demux_realaud.c --- a/libmpdemux/demux_realaud.c Sun May 14 13:39:52 2006 +0000 +++ b/libmpdemux/demux_realaud.c Sun May 14 15:51:05 2006 +0000 @@ -298,7 +298,7 @@ case FOURCC_288: mp_msg(MSGT_DEMUX,MSGL_V,"Audio: 28_8\n"); sh->wf->nBlockAlign = ra_priv->coded_framesize; - ra_priv->audio_buf = malloc(ra_priv->sub_packet_h * ra_priv->frame_size); + ra_priv->audio_buf = calloc(ra_priv->sub_packet_h, ra_priv->frame_size); break; case FOURCC_DNET: mp_msg(MSGT_DEMUX,MSGL_V,"Audio: DNET -> AC3\n"); @@ -307,7 +307,7 @@ mp_msg(MSGT_DEMUX,MSGL_V,"Audio: SIPR\n"); sh->wf->nBlockAlign = ra_priv->coded_framesize; sh->wf->nAvgBytesPerSec = sipr_fl2bps[ra_priv->codec_flavor]; - ra_priv->audio_buf = malloc(ra_priv->sub_packet_h * ra_priv->frame_size); + ra_priv->audio_buf = calloc(ra_priv->sub_packet_h, ra_priv->frame_size); break; default: mp_msg(MSGT_DEMUX,MSGL_V,"Audio: Unknown (%d)\n", sh->format);