Mercurial > mplayer.hg

changeset 17226:255b14c0bc36

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
malloc padding to avoid access beyond allocated memory Credits to Mikulas Patocka (mikulas at artax karlin mff cuni cz)
author henry
date Mon, 19 Dec 2005 19:38:28 +0000
parents ec9888363742
children c2b50fc5d86a
files libmpcodecs/ad_ffmpeg.c libmpcodecs/vd_ffmpeg.c libmpdemux/demux_asf.c libmpdemux/demux_real.c libmpdemux/demux_viv.c libmpdemux/video.c
diffstat 6 files changed, 55 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/libmpcodecs/ad_ffmpeg.c	Mon Dec 19 18:04:37 2005 +0000
+++ b/libmpcodecs/ad_ffmpeg.c	Mon Dec 19 19:38:28 2005 +0000
@@ -73,7 +73,7 @@
 
     /* alloc extra data */
     if (sh_audio->wf && sh_audio->wf->cbSize > 0) {
-        lavc_context->extradata = av_malloc(sh_audio->wf->cbSize);
+        lavc_context->extradata = av_mallocz(sh_audio->wf->cbSize + FF_INPUT_BUFFER_PADDING_SIZE);
         lavc_context->extradata_size = sh_audio->wf->cbSize;
         memcpy(lavc_context->extradata, (char *)sh_audio->wf + sizeof(WAVEFORMATEX), 
                lavc_context->extradata_size);
--- a/libmpcodecs/vd_ffmpeg.c	Mon Dec 19 18:04:37 2005 +0000
+++ b/libmpcodecs/vd_ffmpeg.c	Mon Dec 19 19:38:28 2005 +0000
@@ -324,7 +324,7 @@
     {
 	avctx->flags |= CODEC_FLAG_EXTERN_HUFF;
 	avctx->extradata_size = sh->bih->biSize-sizeof(BITMAPINFOHEADER);
-	avctx->extradata = av_malloc(avctx->extradata_size);
+	avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
 	memcpy(avctx->extradata, sh->bih+sizeof(BITMAPINFOHEADER),
 	    avctx->extradata_size);
 
@@ -346,7 +346,7 @@
        || sh->format == mmioFOURCC('R', 'V', '4', '0')
        ){
         avctx->extradata_size= 8;
-        avctx->extradata = av_malloc(avctx->extradata_size);
+        avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
         if(sh->bih->biSize!=sizeof(*sh->bih)+8){
             /* only 1 packet per frame & sub_id from fourcc */
 	    ((uint32_t*)avctx->extradata)[0] = 0;
@@ -384,7 +384,7 @@
          ))
     {
 	avctx->extradata_size = sh->bih->biSize-sizeof(BITMAPINFOHEADER);
-	avctx->extradata = av_malloc(avctx->extradata_size);
+	avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
 	memcpy(avctx->extradata, sh->bih+1, avctx->extradata_size);
     }
     /* Pass palette to codec */
@@ -405,7 +405,7 @@
     if (sh->ImageDesc &&
 	 sh->format == mmioFOURCC('S','V','Q','3')){
 	avctx->extradata_size = (*(int*)sh->ImageDesc) - sizeof(int);
-	avctx->extradata = av_malloc(avctx->extradata_size);
+	avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
 	memcpy(avctx->extradata, ((int*)sh->ImageDesc)+1, avctx->extradata_size);
     }
     
--- a/libmpdemux/demux_asf.c	Mon Dec 19 18:04:37 2005 +0000
+++ b/libmpdemux/demux_asf.c	Mon Dec 19 19:38:28 2005 +0000
@@ -62,6 +62,11 @@
   *src = dst;
 }
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
 
 static int demux_asf_read_packet(demuxer_t *demux,unsigned char *data,int len,int id,int seq,unsigned long time,unsigned short dur,int offs,int keyframe){
   demux_stream_t *ds=NULL;
@@ -106,8 +111,9 @@
         // append data to it!
         demux_packet_t* dp=ds->asf_packet;
         if(dp->len!=offs && offs!=-1) mp_msg(MSGT_DEMUX,MSGL_V,"warning! fragment.len=%d BUT next fragment offset=%d  \n",dp->len,offs);
-        dp->buffer=realloc(dp->buffer,dp->len+len);
+        dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
         memcpy(dp->buffer+dp->len,data,len);
+        memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
         mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
         dp->len+=len;
         // we are ready now.
--- a/libmpdemux/demux_real.c	Mon Dec 19 18:04:37 2005 +0000
+++ b/libmpdemux/demux_real.c	Mon Dec 19 19:38:28 2005 +0000
@@ -32,6 +32,12 @@
 #include "stheader.h"
 #include "bswap.h"
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
+
 //#define mp_dbg(mod,lev, args... ) mp_msg_c((mod<<8)|lev, ## args )
 
 #define MKTAG(a, b, c, d) (a | (b << 8) | (c << 16) | (d << 24))
@@ -921,7 +927,8 @@
 			    // increase buffer size, this should not happen!
 			    mp_msg(MSGT_DEMUX,MSGL_WARN, "chunktab buffer too small!!!!!\n");
 			    dp->len=dp_hdr->chunktab+8*(4+dp_hdr->chunks);
-			    dp->buffer=realloc(dp->buffer,dp->len);
+			    dp->buffer=realloc(dp->buffer,dp->len+FF_INPUT_BUFFER_PADDING_SIZE);
+			    memset(dp->buffer + dp->len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
 			    // re-calc pointers:
 			    dp_hdr=(dp_hdr_t*)dp->buffer;
 			    dp_data=dp->buffer+sizeof(dp_hdr_t);
--- a/libmpdemux/demux_viv.c	Mon Dec 19 18:04:37 2005 +0000
+++ b/libmpdemux/demux_viv.c	Mon Dec 19 19:38:28 2005 +0000
@@ -15,6 +15,12 @@
 #include "stheader.h"
 #include "bswap.h"
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
+
 /* parameters ! */
 int vivo_param_version = -1;
 char *vivo_param_acodec = NULL;
@@ -379,7 +385,8 @@
       } else {
         // append data to it!
         demux_packet_t* dp=ds->asf_packet;
-        dp->buffer=realloc(dp->buffer,dp->len+len);
+        dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
+        memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
         //memcpy(dp->buffer+dp->len,data,len);
 	stream_read(demux->stream,dp->buffer+dp->len,len);
         mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
--- a/libmpdemux/video.c	Mon Dec 19 18:04:37 2005 +0000
+++ b/libmpdemux/video.c	Mon Dec 19 19:38:28 2005 +0000
@@ -22,6 +22,12 @@
 /* sub_cc (closed captions)*/
 #include "sub_cc.h"
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
+
 /* biCompression constant */
 #define BI_RGB        0L
 
@@ -132,10 +138,13 @@
       }
    }
    mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n");
-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
-   if(!videobuffer){ 
-     mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
-     return 0;
+   if(!videobuffer) {
+     videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
+     if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+     else {
+       mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
+       return 0;
+     }
    }
    mp_msg(MSGT_DECVIDEO,MSGL_V,"Searching for Video Object Layer Start code... ");fflush(stdout);
    while(1){
@@ -222,10 +231,13 @@
       }
    }
    mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n");
-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
-   if(!videobuffer){ 
-     mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
-     return 0;
+   if(!videobuffer) {
+     videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
+     if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+     else {
+       mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
+       return 0;
+     }
    }
    pos = videobuf_len+4;
    if(!read_video_packet(d_video)){ 
@@ -280,10 +292,13 @@
 //   sh_video=d_video->sh;sh_video->ds=d_video;
 //   mpeg2_init();
    // ========= Read & process sequence header & extension ============
-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
-   if(!videobuffer){ 
-     mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
-     return 0;
+   if(!videobuffer) {
+     videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
+     if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+     else {
+       mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
+       return 0;
+     }
    }
    
    if(!read_video_packet(d_video)){