[FFmpeg-devel] [PATCH] prevent buffer overflow with large a/mulaw frames
Peter Ross
pross
Sat Aug 8 10:23:16 CEST 2009
On Sat, Jul 25, 2009 at 11:55:09PM -0700, Baptiste Coudurier wrote:
> On 07/25/2009 11:45 PM, Peter Ross wrote:
>> On Sun, Jul 26, 2009 at 03:32:59PM +1000, Peter Ross wrote:
>>> On Sat, Jul 25, 2009 at 09:42:52PM -0700, Baptiste Coudurier wrote:
>>>> Hi Peter,
>>>>
>>>> On 07/25/2009 09:19 PM, Peter Ross wrote:
>>>>> Hi,
>>>>>
>>>>> This patch prevents alaw/mulaw decoders from writing beyond the output buffer.
>>>>>
(snip)
>> + audio_out_size = FFMAX(size, 4*MAX_AUDIO_PACKET_SIZE);
>> + audio_out = av_realloc(audio_out, audio_out_size);
>> + }
>> if (!audio_buf || !audio_out)
>> return; /* Should signal an error ! */
>>
>> @@ -596,9 +599,11 @@
>> #define MAKE_SFMT_PAIR(a,b) ((a)+SAMPLE_FMT_NB*(b))
>> if (!ost->audio_resample&& dec->sample_fmt!=enc->sample_fmt&&
>> MAKE_SFMT_PAIR(enc->sample_fmt,dec->sample_fmt)!=ost->reformat_pair) {
>> + if (!audio_out2 || size> audio_out2_size) {
>> + audio_out2_size = FFMAX(size, 4*MAX_AUDIO_PACKET_SIZE);
>> + audio_out2 = av_realloc(audio_out2, audio_out2_size);
>> + }
>
> av_fast_realloc may look cleaner in this situation.
Revised patch enclosed. I have overhualed the audio_{buf,out,out2} allocations,
to prevent overflows for each phase of do_audio_out().
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ffmpeg-audiooutsize-r2.diff
Type: text/x-diff
Size: 3880 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090808/06a645f8/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090808/06a645f8/attachment.pgp>
More information about the ffmpeg-devel
mailing list