# HG changeset patch # User reimar # Date 1284831503 0 # Node ID 23ba595c029245e1a802484a3677038115861297 # Parent c6e682837c8a395b5009dd28c46679778959727b Matroska allows data to be compressed multiple times, thus ensure the destination buffers are sufficiently padded as well. diff -r c6e682837c8a -r 23ba595c0292 libmpdemux/demux_mkv.c --- a/libmpdemux/demux_mkv.c Sat Sep 18 17:27:17 2010 +0000 +++ b/libmpdemux/demux_mkv.c Sat Sep 18 17:38:23 2010 +0000 @@ -318,11 +318,11 @@ *dest = NULL; zstream.avail_out = *size; do { - if (*size > SIZE_MAX - 4000) + if (*size > SIZE_MAX - 4000 - AV_LZO_INPUT_PADDING) goto zlib_fail; *size += 4000; - *dest = realloc(*dest, *size); + *dest = realloc(*dest, *size + AV_LZO_INPUT_PADDING); zstream.next_out = (Bytef *) (*dest + zstream.total_out); result = inflate(&zstream, Z_NO_FLUSH); if (result != Z_OK && result != Z_STREAM_END) { @@ -349,10 +349,13 @@ *dest = NULL; while (1) { + // Max of both because we might decompress the input multiple + // times. Makes no sense but is possible. + int padding = FFMAX(AV_LZO_OUTPUT_PADDING, AV_LZO_INPUT_PADDING); int srclen = *size; - if (dstlen > SIZE_MAX - AV_LZO_OUTPUT_PADDING) + if (dstlen > SIZE_MAX - padding) goto lzo_fail; - *dest = realloc(*dest, dstlen + AV_LZO_OUTPUT_PADDING); + *dest = realloc(*dest, dstlen + padding); out_avail = dstlen; result = av_lzo1x_decode(*dest, &out_avail, src, &srclen); if (result == 0) @@ -367,7 +370,7 @@ } mp_msg(MSGT_DEMUX, MSGL_DBG2, "[mkv] lzo decompression buffer too small.\n"); - if (dstlen > (SIZE_MAX - AV_LZO_OUTPUT_PADDING)/2) + if (dstlen > (SIZE_MAX - padding)/2) goto lzo_fail; dstlen *= 2; }