Mercurial > mplayer.hg
changeset 17226:255b14c0bc36
malloc padding to avoid access beyond allocated memory
Credits to Mikulas Patocka (mikulas at artax karlin mff cuni cz)
author | henry |
---|---|
date | Mon, 19 Dec 2005 19:38:28 +0000 |
parents | ec9888363742 |
children | c2b50fc5d86a |
files | libmpcodecs/ad_ffmpeg.c libmpcodecs/vd_ffmpeg.c libmpdemux/demux_asf.c libmpdemux/demux_real.c libmpdemux/demux_viv.c libmpdemux/video.c |
diffstat | 6 files changed, 55 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/libmpcodecs/ad_ffmpeg.c Mon Dec 19 18:04:37 2005 +0000 +++ b/libmpcodecs/ad_ffmpeg.c Mon Dec 19 19:38:28 2005 +0000 @@ -73,7 +73,7 @@ /* alloc extra data */ if (sh_audio->wf && sh_audio->wf->cbSize > 0) { - lavc_context->extradata = av_malloc(sh_audio->wf->cbSize); + lavc_context->extradata = av_mallocz(sh_audio->wf->cbSize + FF_INPUT_BUFFER_PADDING_SIZE); lavc_context->extradata_size = sh_audio->wf->cbSize; memcpy(lavc_context->extradata, (char *)sh_audio->wf + sizeof(WAVEFORMATEX), lavc_context->extradata_size);
--- a/libmpcodecs/vd_ffmpeg.c Mon Dec 19 18:04:37 2005 +0000 +++ b/libmpcodecs/vd_ffmpeg.c Mon Dec 19 19:38:28 2005 +0000 @@ -324,7 +324,7 @@ { avctx->flags |= CODEC_FLAG_EXTERN_HUFF; avctx->extradata_size = sh->bih->biSize-sizeof(BITMAPINFOHEADER); - avctx->extradata = av_malloc(avctx->extradata_size); + avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); memcpy(avctx->extradata, sh->bih+sizeof(BITMAPINFOHEADER), avctx->extradata_size); @@ -346,7 +346,7 @@ || sh->format == mmioFOURCC('R', 'V', '4', '0') ){ avctx->extradata_size= 8; - avctx->extradata = av_malloc(avctx->extradata_size); + avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); if(sh->bih->biSize!=sizeof(*sh->bih)+8){ /* only 1 packet per frame & sub_id from fourcc */ ((uint32_t*)avctx->extradata)[0] = 0; @@ -384,7 +384,7 @@ )) { avctx->extradata_size = sh->bih->biSize-sizeof(BITMAPINFOHEADER); - avctx->extradata = av_malloc(avctx->extradata_size); + avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); memcpy(avctx->extradata, sh->bih+1, avctx->extradata_size); } /* Pass palette to codec */ @@ -405,7 +405,7 @@ if (sh->ImageDesc && sh->format == mmioFOURCC('S','V','Q','3')){ avctx->extradata_size = (*(int*)sh->ImageDesc) - sizeof(int); - avctx->extradata = av_malloc(avctx->extradata_size); + avctx->extradata = av_mallocz(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); memcpy(avctx->extradata, ((int*)sh->ImageDesc)+1, avctx->extradata_size); }
--- a/libmpdemux/demux_asf.c Mon Dec 19 18:04:37 2005 +0000 +++ b/libmpdemux/demux_asf.c Mon Dec 19 19:38:28 2005 +0000 @@ -62,6 +62,11 @@ *src = dst; } +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif static int demux_asf_read_packet(demuxer_t *demux,unsigned char *data,int len,int id,int seq,unsigned long time,unsigned short dur,int offs,int keyframe){ demux_stream_t *ds=NULL; @@ -106,8 +111,9 @@ // append data to it! demux_packet_t* dp=ds->asf_packet; if(dp->len!=offs && offs!=-1) mp_msg(MSGT_DEMUX,MSGL_V,"warning! fragment.len=%d BUT next fragment offset=%d \n",dp->len,offs); - dp->buffer=realloc(dp->buffer,dp->len+len); + dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE); memcpy(dp->buffer+dp->len,data,len); + memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE); mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len); dp->len+=len; // we are ready now.
--- a/libmpdemux/demux_real.c Mon Dec 19 18:04:37 2005 +0000 +++ b/libmpdemux/demux_real.c Mon Dec 19 19:38:28 2005 +0000 @@ -32,6 +32,12 @@ #include "stheader.h" #include "bswap.h" +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif + //#define mp_dbg(mod,lev, args... ) mp_msg_c((mod<<8)|lev, ## args ) #define MKTAG(a, b, c, d) (a | (b << 8) | (c << 16) | (d << 24)) @@ -921,7 +927,8 @@ // increase buffer size, this should not happen! mp_msg(MSGT_DEMUX,MSGL_WARN, "chunktab buffer too small!!!!!\n"); dp->len=dp_hdr->chunktab+8*(4+dp_hdr->chunks); - dp->buffer=realloc(dp->buffer,dp->len); + dp->buffer=realloc(dp->buffer,dp->len+FF_INPUT_BUFFER_PADDING_SIZE); + memset(dp->buffer + dp->len, 0, FF_INPUT_BUFFER_PADDING_SIZE); // re-calc pointers: dp_hdr=(dp_hdr_t*)dp->buffer; dp_data=dp->buffer+sizeof(dp_hdr_t);
--- a/libmpdemux/demux_viv.c Mon Dec 19 18:04:37 2005 +0000 +++ b/libmpdemux/demux_viv.c Mon Dec 19 19:38:28 2005 +0000 @@ -15,6 +15,12 @@ #include "stheader.h" #include "bswap.h" +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif + /* parameters ! */ int vivo_param_version = -1; char *vivo_param_acodec = NULL; @@ -379,7 +385,8 @@ } else { // append data to it! demux_packet_t* dp=ds->asf_packet; - dp->buffer=realloc(dp->buffer,dp->len+len); + dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE); + memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE); //memcpy(dp->buffer+dp->len,data,len); stream_read(demux->stream,dp->buffer+dp->len,len); mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
--- a/libmpdemux/video.c Mon Dec 19 18:04:37 2005 +0000 +++ b/libmpdemux/video.c Mon Dec 19 19:38:28 2005 +0000 @@ -22,6 +22,12 @@ /* sub_cc (closed captions)*/ #include "sub_cc.h" +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif + /* biCompression constant */ #define BI_RGB 0L @@ -132,10 +138,13 @@ } } mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n"); - if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE); - if(!videobuffer){ - mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); - return 0; + if(!videobuffer) { + videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); + if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); + else { + mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); + return 0; + } } mp_msg(MSGT_DECVIDEO,MSGL_V,"Searching for Video Object Layer Start code... ");fflush(stdout); while(1){ @@ -222,10 +231,13 @@ } } mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n"); - if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE); - if(!videobuffer){ - mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); - return 0; + if(!videobuffer) { + videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); + if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); + else { + mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); + return 0; + } } pos = videobuf_len+4; if(!read_video_packet(d_video)){ @@ -280,10 +292,13 @@ // sh_video=d_video->sh;sh_video->ds=d_video; // mpeg2_init(); // ========= Read & process sequence header & extension ============ - if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE); - if(!videobuffer){ - mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); - return 0; + if(!videobuffer) { + videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); + if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); + else { + mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); + return 0; + } } if(!read_video_packet(d_video)){