[FFmpeg-devel] [PATCH] fix for malloc error (roundup issues 2480, 2479)
Michael Niedermayer
michaelni
Wed Jan 5 17:22:33 CET 2011
On Mon, Jan 03, 2011 at 01:01:17PM -0500, Daniel Kang wrote:
> I am a Google Code-In student, and as part of a task, I have zzufed
> several files. It seems for extraordinary large total frames, ffmpeg
> fails on mallocating memory. Both bugs have been reproduced, so it is
> not only a bug on my box.
>
> The patches attached fix the issues locally. Another solution is to move
> the check into av_malloc, but that may create extra overhead. I am not
> sure what the best solution may be.
>
> Are there any suggestions?
> ape.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> f806ab16204e4200c3b29ce617532b8e4250eb11 ape_malloc_check.diff
> From 035683a38496569c9b79e2421682607c678a0a8b Mon Sep 17 00:00:00 2001
> From: Daniel Kang <daniel.d.kang at gmail.com>
> Date: Sun, 2 Jan 2011 20:42:07 -0500
> Subject: [PATCH] Sanity check to see if malloc returns the right size.
>
> ---
> libavformat/ape.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/libavformat/ape.c b/libavformat/ape.c
> index 91acf72..225f00b 100644
> --- a/libavformat/ape.c
> +++ b/libavformat/ape.c
> @@ -247,7 +247,7 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
> return -1;
> }
> ape->frames = av_malloc(ape->totalframes * sizeof(APEFrame));
> - if(!ape->frames)
> + if(!ape->frames || sizeof(ape->frames) != ape->totalframes * sizeof(APEFrame))
> return AVERROR(ENOMEM);
sizeof(ape->frames) is the size of the type of ape->frames, if thats a pointer
it would be sizeof(*void) aka 4 or 8 bytes normally.
if its an array like int frames[123] then it would be the size in bytes of
that array thus 4*128 normally in that case.
*malloc() dont allocate less then requested.
what can happen with code like av_malloc(ape->totalframes * sizeof(APEFrame));
is that the multiply overflows, like 0x7FFFFFFF * 10 doesnt fit in 32bit int
but it seems this is alraedy checked for in the line above:
if(ape->totalframes > UINT_MAX / sizeof(APEFrame)){
av_log(s, AV_LOG_ERROR, "Too many frames: %d\n", ape->totalframes);
return -1;
}
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Into a blind darkness they enter who follow after the Ignorance,
they as if into a greater darkness enter who devote themselves
to the Knowledge alone. -- Isha Upanishad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110105/72fecde7/attachment.pgp>
More information about the ffmpeg-devel
mailing list