changeset 18505:01b9f29c2fb5

Fix some potential integer overflow in memory allocation (mot of these were probably safe or disabled anyway)
author rtognimp
date Sun, 14 May 2006 15:51:05 +0000
parents eca613999d6c
children 14895e151e0f
files libmpdemux/demux_real.c libmpdemux/demux_realaud.c
diffstat 2 files changed, 12 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/libmpdemux/demux_real.c	Sun May 14 13:39:52 2006 +0000
+++ b/libmpdemux/demux_real.c	Sun May 14 15:51:05 2006 +0000
@@ -407,7 +407,7 @@
     for (i = 0; i < MAX_STREAMS; i++)
     {
     priv->index_table_size[i] = num_of_packets;
-    priv->index_table[i] = malloc(priv->index_table_size[i] * sizeof(real_index_table_t));
+    priv->index_table[i] = calloc(priv->index_table_size[i], sizeof(real_index_table_t));
 //    priv->index_table[stream_id] = realloc(priv->index_table[stream_id],
 //	priv->index_table_size[stream_id] * sizeof(real_index_table_t));
     }
@@ -1054,8 +1054,8 @@
 	demuxer->audio->id=stream_id;
 	sh->ds=demuxer->audio;
 	demuxer->audio->sh=sh;
-	priv->audio_buf = malloc(priv->sub_packet_h[demuxer->audio->id] * priv->audiopk_size[demuxer->audio->id]);
-	priv->audio_timestamp = malloc(priv->sub_packet_h[demuxer->audio->id] * sizeof(float));
+	priv->audio_buf = calloc(priv->sub_packet_h[demuxer->audio->id], priv->audiopk_size[demuxer->audio->id]);
+	priv->audio_timestamp = calloc(priv->sub_packet_h[demuxer->audio->id], sizeof(float));
         mp_msg(MSGT_DEMUX,MSGL_V,"Auto-selected RM audio ID = %d\n",stream_id);
 	goto got_audio;
     }
@@ -1416,6 +1416,11 @@
 			    if (version==5)
 			      stream_skip(demuxer->stream,1);  // Skip 1 additional unknown byte 
 			    codecdata_length=stream_read_dword(demuxer->stream);
+			    // Check extradata len, we can't store bigger values in cbSize anyway
+			    if ((unsigned)codecdata_length > 0xffff) {
+			        mp_msg(MSGT_DEMUX,MSGL_ERR,"Extradata too big (%d)\n", codecdata_length);
+				goto skip_this_chunk;
+			    }
 			    sh->wf->cbSize = codecdata_length;
 			    sh->wf = realloc(sh->wf, sizeof(WAVEFORMATEX)+sh->wf->cbSize);
 			    stream_read(demuxer->stream, ((char*)(sh->wf+1)), codecdata_length); // extras
@@ -1470,8 +1475,8 @@
 			demuxer->audio->id=stream_id;
 			sh->ds=demuxer->audio;
 			demuxer->audio->sh=sh;
-        	priv->audio_buf = malloc(priv->sub_packet_h[demuxer->audio->id] * priv->audiopk_size[demuxer->audio->id]);
-        	priv->audio_timestamp = malloc(priv->sub_packet_h[demuxer->audio->id] * sizeof(float));
+        	priv->audio_buf = calloc(priv->sub_packet_h[demuxer->audio->id], priv->audiopk_size[demuxer->audio->id]);
+        	priv->audio_timestamp = calloc(priv->sub_packet_h[demuxer->audio->id], sizeof(float));
 		    }
 		    
 		    ++a_streams;
--- a/libmpdemux/demux_realaud.c	Sun May 14 13:39:52 2006 +0000
+++ b/libmpdemux/demux_realaud.c	Sun May 14 15:51:05 2006 +0000
@@ -298,7 +298,7 @@
 		case FOURCC_288:
 			mp_msg(MSGT_DEMUX,MSGL_V,"Audio: 28_8\n");
             sh->wf->nBlockAlign = ra_priv->coded_framesize;
-            ra_priv->audio_buf = malloc(ra_priv->sub_packet_h * ra_priv->frame_size);
+            ra_priv->audio_buf = calloc(ra_priv->sub_packet_h, ra_priv->frame_size);
 			break;
 		case FOURCC_DNET:
 			mp_msg(MSGT_DEMUX,MSGL_V,"Audio: DNET -> AC3\n");
@@ -307,7 +307,7 @@
 			mp_msg(MSGT_DEMUX,MSGL_V,"Audio: SIPR\n");
 			sh->wf->nBlockAlign = ra_priv->coded_framesize;
 			sh->wf->nAvgBytesPerSec = sipr_fl2bps[ra_priv->codec_flavor];
-			ra_priv->audio_buf = malloc(ra_priv->sub_packet_h * ra_priv->frame_size);
+			ra_priv->audio_buf = calloc(ra_priv->sub_packet_h, ra_priv->frame_size);
 			break;
 		default:
 			mp_msg(MSGT_DEMUX,MSGL_V,"Audio: Unknown (%d)\n", sh->format);