[MPlayer-cvslog] r18559 - in trunk/libmpdemux: asf_streaming.c aviheader.c cookies.c demux_film.c demux_fli.c demux_mkv.c demux_mov.c demux_ogg.c demux_ts.c demux_viv.c demuxer.h ebml.c http.c mf.c muxer.c muxer_avi.c muxer_mpeg.c stream.c stream_livedotcom.c tvi_v4l.c tvi_v4l2.c url.c
rtogni
subversion at mplayerhq.hu
Mon Jun 5 00:41:28 CEST 2006
Author: rtogni
Date: Mon Jun 5 00:41:27 2006
New Revision: 18559
Modified:
trunk/libmpdemux/asf_streaming.c
trunk/libmpdemux/aviheader.c
trunk/libmpdemux/cookies.c
trunk/libmpdemux/demux_film.c
trunk/libmpdemux/demux_fli.c
trunk/libmpdemux/demux_mkv.c
trunk/libmpdemux/demux_mov.c
trunk/libmpdemux/demux_ogg.c
trunk/libmpdemux/demux_ts.c
trunk/libmpdemux/demux_viv.c
trunk/libmpdemux/demuxer.h
trunk/libmpdemux/ebml.c
trunk/libmpdemux/http.c
trunk/libmpdemux/mf.c
trunk/libmpdemux/muxer.c
trunk/libmpdemux/muxer_avi.c
trunk/libmpdemux/muxer_mpeg.c
trunk/libmpdemux/stream.c
trunk/libmpdemux/stream_livedotcom.c
trunk/libmpdemux/tvi_v4l.c
trunk/libmpdemux/tvi_v4l2.c
trunk/libmpdemux/url.c
Log:
Fix potential integer overflows in memory allocation.
Patch by Rich and me
Modified: trunk/libmpdemux/asf_streaming.c
==============================================================================
--- trunk/libmpdemux/asf_streaming.c (original)
+++ trunk/libmpdemux/asf_streaming.c Mon Jun 5 00:41:27 2006
@@ -194,6 +194,8 @@
return -1;
}
+ // audit: do not overflow buffer_size
+ if (size > SIZE_MAX - buffer_size) return -1;
buffer = (char*) malloc(size+buffer_size);
if(buffer == NULL) {
mp_msg(MSGT_NETWORK,MSGL_FATAL,MSGTR_MPDEMUX_ASF_BufferMallocFailed,size+buffer_size);
Modified: trunk/libmpdemux/aviheader.c
==============================================================================
--- trunk/libmpdemux/aviheader.c (original)
+++ trunk/libmpdemux/aviheader.c Mon Jun 5 00:41:27 2006
@@ -211,7 +211,7 @@
break;
}
priv->suidx_size++;
- priv->suidx = realloc(priv->suidx, priv->suidx_size * sizeof (avisuperindex_chunk));
+ priv->suidx = realloc_struct(priv->suidx, priv->suidx_size, sizeof (avisuperindex_chunk));
s = &priv->suidx[priv->suidx_size-1];
chunksize-=24;
Modified: trunk/libmpdemux/cookies.c
==============================================================================
--- trunk/libmpdemux/cookies.c (original)
+++ trunk/libmpdemux/cookies.c Mon Jun 5 00:41:27 2006
@@ -12,6 +12,7 @@
#include <unistd.h>
#include <sys/types.h>
#include <dirent.h>
+#include <inttypes.h>
#include "cookies.h"
#include "http.h"
@@ -110,6 +111,11 @@
return NULL;
}
+ if (*length > SIZE_MAX - 1) {
+ mp_msg(MSGT_NETWORK, MSGL_V, "File too big, could not malloc.");
+ return NULL;
+ }
+
lseek(fd, SEEK_SET, 0);
if (!(buffer = malloc(*length + 1))) {
Modified: trunk/libmpdemux/demux_film.c
==============================================================================
--- trunk/libmpdemux/demux_film.c (original)
+++ trunk/libmpdemux/demux_film.c Mon Jun 5 00:41:27 2006
@@ -377,7 +377,7 @@
// allocate enough entries for the chunk
film_data->chunks =
- (film_chunk_t *)malloc(film_data->total_chunks * sizeof(film_chunk_t));
+ (film_chunk_t *)calloc(film_data->total_chunks, sizeof(film_chunk_t));
// build the chunk index
counting_chunks = 1;
Modified: trunk/libmpdemux/demux_fli.c
==============================================================================
--- trunk/libmpdemux/demux_fli.c (original)
+++ trunk/libmpdemux/demux_fli.c Mon Jun 5 00:41:27 2006
@@ -103,6 +103,7 @@
frames->current_frame = 0;
// allocate enough entries for the indices
+ // audit: num_frames is 16bit so it is safe against overflow
frames->filepos = (off_t *)malloc(frames->num_frames * sizeof(off_t));
frames->frame_size = (int *)malloc(frames->num_frames * sizeof(int));
Modified: trunk/libmpdemux/demux_mkv.c
==============================================================================
--- trunk/libmpdemux/demux_mkv.c (original)
+++ trunk/libmpdemux/demux_mkv.c Mon Jun 5 00:41:27 2006
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
+#include <inttypes.h>
#include "stream.h"
#include "demuxer.h"
@@ -1083,6 +1084,8 @@
{
int x;
uint64_t num = ebml_read_length (s, &x);
+ // audit: cheap guard against overflows later..
+ if (num > SIZE_MAX - 1000) return 0;
l = x + num;
track->private_data = malloc (num);
if (stream_read(s, track->private_data, num) != (int) num)
Modified: trunk/libmpdemux/demux_mov.c
==============================================================================
--- trunk/libmpdemux/demux_mov.c (original)
+++ trunk/libmpdemux/demux_mov.c Mon Jun 5 00:41:27 2006
@@ -145,16 +145,6 @@
void* desc; // image/sound/etc description (pointer to ImageDescription etc)
} mov_track_t;
-#ifndef SIZE_MAX
-#define SIZE_MAX ((size_t)-1)
-#endif
-
-void *realloc_struct(void *ptr, size_t nmemb, size_t size) {
- if (nmemb > SIZE_MAX / size)
- return NULL;
- return realloc(ptr, nmemb * size);
-}
-
void mov_build_index(mov_track_t* trak,int timescale){
int i,j,s;
int last=trak->chunks_size;
@@ -166,6 +156,7 @@
mp_msg(MSGT_DEMUX, MSGL_WARN, "No chunk offset table, trying to build one!\n");
trak->chunks_size = trak->samples_size; /* XXX: FIXME ! */
+ // audit: this code will be vulnerable if it is reenabled (currently #if 0)
trak->chunks = realloc(trak->chunks, sizeof(mov_chunk_t)*trak->chunks_size);
for (i=0; i < trak->chunks_size; i++)
@@ -1278,7 +1269,7 @@
z_stream zstrm;
stream_t* backup;
- if (moov_sz > 0xffffffff - 16) {
+ if (moov_sz > SIZE_MAX - 16) {
mp_msg(MSGT_DEMUX, MSGL_ERR, "Invalid cmvd atom size %d\n", moov_sz);
break;
}
Modified: trunk/libmpdemux/demux_ogg.c
==============================================================================
--- trunk/libmpdemux/demux_ogg.c (original)
+++ trunk/libmpdemux/demux_ogg.c Mon Jun 5 00:41:27 2006
@@ -8,7 +8,7 @@
#include <string.h>
#include <assert.h>
#include <math.h>
-#include <limits.h>
+#include <inttypes.h>
#include "mp_msg.h"
#include "help_mp.h"
Modified: trunk/libmpdemux/demux_ts.c
==============================================================================
--- trunk/libmpdemux/demux_ts.c (original)
+++ trunk/libmpdemux/demux_ts.c Mon Jun 5 00:41:27 2006
@@ -235,13 +235,6 @@
#define IS_AUDIO(x) (((x) == AUDIO_MP2) || ((x) == AUDIO_A52) || ((x) == AUDIO_LPCM_BE) || ((x) == AUDIO_AAC))
#define IS_VIDEO(x) (((x) == VIDEO_MPEG1) || ((x) == VIDEO_MPEG2) || ((x) == VIDEO_MPEG4) || ((x) == VIDEO_H264) || ((x) == VIDEO_AVC))
-static void *realloc_struct(void *ptr, size_t nmemb, size_t size)
-{
- if (nmemb > SIZE_MAX / size)
- return NULL;
- return realloc(ptr, nmemb * size);
-}
-
static int ts_parse(demuxer_t *demuxer, ES_stream_t *es, unsigned char *packet, int probe);
static uint8_t get_packet_size(const unsigned char *buf, int size)
Modified: trunk/libmpdemux/demux_viv.c
==============================================================================
--- trunk/libmpdemux/demux_viv.c (original)
+++ trunk/libmpdemux/demux_viv.c Mon Jun 5 00:41:27 2006
@@ -387,6 +387,8 @@
} else {
// append data to it!
demux_packet_t* dp=ds->asf_packet;
+ if(dp->len + len + FF_INPUT_BUFFER_PADDING_SIZE < 0)
+ return 0;
dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
//memcpy(dp->buffer+dp->len,data,len);
Modified: trunk/libmpdemux/demuxer.h
==============================================================================
--- trunk/libmpdemux/demuxer.h (original)
+++ trunk/libmpdemux/demuxer.h Mon Jun 5 00:41:27 2006
@@ -238,6 +238,18 @@
free(dp);
}
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
+static void *realloc_struct(void *ptr, size_t nmemb, size_t size) {
+ if (nmemb > SIZE_MAX / size) {
+ free(ptr);
+ return NULL;
+ }
+ return realloc(ptr, nmemb * size);
+}
+
demux_stream_t* new_demuxer_stream(struct demuxer_st *demuxer,int id);
demuxer_t* new_demuxer(stream_t *stream,int type,int a_id,int v_id,int s_id,char *filename);
void free_demuxer_stream(demux_stream_t *ds);
Modified: trunk/libmpdemux/ebml.c
==============================================================================
--- trunk/libmpdemux/ebml.c (original)
+++ trunk/libmpdemux/ebml.c Mon Jun 5 00:41:27 2006
@@ -221,6 +221,8 @@
len = ebml_read_length (s, &l);
if (len == EBML_UINT_INVALID)
return NULL;
+ if (len > SIZE_MAX - 1)
+ return NULL;
if (length)
*length = len + l;
Modified: trunk/libmpdemux/http.c
==============================================================================
--- trunk/libmpdemux/http.c (original)
+++ trunk/libmpdemux/http.c Mon Jun 5 00:41:27 2006
@@ -315,6 +315,10 @@
http_response_append( HTTP_header_t *http_hdr, char *response, int length ) {
if( http_hdr==NULL || response==NULL || length<0 ) return -1;
+ if( (unsigned)length > SIZE_MAX - http_hdr->buffer_size - 1) {
+ mp_msg(MSGT_NETWORK,MSGL_FATAL,"Bad size in memory (re)allocation\n");
+ return -1;
+ }
http_hdr->buffer = (char*)realloc( http_hdr->buffer, http_hdr->buffer_size+length+1 );
if( http_hdr->buffer==NULL ) {
mp_msg(MSGT_NETWORK,MSGL_FATAL,"Memory (re)allocation failed\n");
@@ -340,7 +344,8 @@
http_response_parse( HTTP_header_t *http_hdr ) {
char *hdr_ptr, *ptr;
char *field=NULL;
- int pos_hdr_sep, hdr_sep_len, len;
+ int pos_hdr_sep, hdr_sep_len;
+ size_t len;
if( http_hdr==NULL ) return -1;
if( http_hdr->is_parsed ) return 0;
Modified: trunk/libmpdemux/mf.c
==============================================================================
--- trunk/libmpdemux/mf.c (original)
+++ trunk/libmpdemux/mf.c Mon Jun 5 00:41:27 2006
@@ -106,7 +106,7 @@
{ free( mf ); free( fname ); return NULL; }
mf->nr_of_files=gg.gl_pathc;
- mf->names=malloc( gg.gl_pathc * sizeof( char* ) );
+ mf->names=calloc( gg.gl_pathc, sizeof( char* ) );
mp_msg( MSGT_STREAM,MSGL_INFO,"[mf] number of files: %d (%d)\n",mf->nr_of_files, gg.gl_pathc * sizeof( char* ) );
Modified: trunk/libmpdemux/muxer.c
==============================================================================
--- trunk/libmpdemux/muxer.c (original)
+++ trunk/libmpdemux/muxer.c Mon Jun 5 00:41:27 2006
@@ -68,7 +68,7 @@
int num = s->muxer->muxbuf_num++;
muxbuf_t *buf, *tmp;
- tmp = realloc(s->muxer->muxbuf, (num+1) * sizeof(muxbuf_t));
+ tmp = realloc_struct(s->muxer->muxbuf, (num+1), sizeof(muxbuf_t));
if(!tmp) {
mp_msg(MSGT_MUXER, MSGL_FATAL, MSGTR_MuxbufReallocErr);
return;
Modified: trunk/libmpdemux/muxer_avi.c
==============================================================================
--- trunk/libmpdemux/muxer_avi.c (original)
+++ trunk/libmpdemux/muxer_avi.c Mon Jun 5 00:41:27 2006
@@ -109,9 +109,9 @@
s->priv=si=malloc(sizeof(struct avi_stream_info));
memset(si,0,sizeof(struct avi_stream_info));
si->idxsize=256;
- si->idx=malloc(sizeof(struct avi_odmlidx_entry)*si->idxsize);
+ si->idx=calloc(si->idxsize, sizeof(struct avi_odmlidx_entry));
si->riffofssize=16;
- si->riffofs=malloc(sizeof(off_t)*(si->riffofssize+1));
+ si->riffofs=calloc((si->riffofssize+1), sizeof(off_t));
memset(si->riffofs, 0, sizeof(off_t)*si->riffofssize);
switch(type){
@@ -174,7 +174,7 @@
vsi->riffofspos++;
if (vsi->riffofspos>=vsi->riffofssize) {
vsi->riffofssize+=16;
- vsi->riffofs=realloc(vsi->riffofs,sizeof(off_t)*(vsi->riffofssize+1));
+ vsi->riffofs=realloc_struct(vsi->riffofs,(vsi->riffofssize+1),sizeof(off_t));
}
vsi->riffofs[vsi->riffofspos] = ftello(f);
@@ -220,7 +220,7 @@
// add to the traditional index:
if(muxer->idx_pos>=muxer->idx_size){
muxer->idx_size+=256; // 4kB
- muxer->idx=realloc(muxer->idx,16*muxer->idx_size);
+ muxer->idx=realloc_struct(muxer->idx,muxer->idx_size,16);
}
muxer->idx[muxer->idx_pos].ckid=s->ckid;
muxer->idx[muxer->idx_pos].dwFlags=flags; // keyframe?
@@ -232,7 +232,7 @@
// add to odml index
if(si->idxpos>=si->idxsize){
si->idxsize+=256;
- si->idx=realloc(si->idx,sizeof(*si->idx)*si->idxsize);
+ si->idx=realloc_struct(si->idx,si->idxsize,sizeof(*si->idx));
}
si->idx[si->idxpos].flags=(flags&AVIIF_KEYFRAME)?0:ODML_NOTKEYFRAME;
si->idx[si->idxpos].ofs=muxer->file_end;
@@ -599,7 +599,7 @@
i, entries_per_subidx, si->superidxpos);
si->superidxsize = si->superidxpos;
- si->superidx = malloc(sizeof(*si->superidx) * si->superidxsize);
+ si->superidx = calloc(si->superidxsize, sizeof(*si->superidx));
memset(si->superidx, 0, sizeof(*si->superidx) * si->superidxsize);
idxpos = 0;
Modified: trunk/libmpdemux/muxer_mpeg.c
==============================================================================
--- trunk/libmpdemux/muxer_mpeg.c (original)
+++ trunk/libmpdemux/muxer_mpeg.c Mon Jun 5 00:41:27 2006
@@ -1976,6 +1976,8 @@
if(spriv->framebuf[idx].alloc_size < spriv->framebuf[idx].size + len)
{
+ if(spriv->framebuf[idx].size > SIZE_MAX - (size_t)len)
+ return 0;
spriv->framebuf[idx].buffer = (uint8_t*) realloc(spriv->framebuf[idx].buffer, spriv->framebuf[idx].size + len);
if(! spriv->framebuf[idx].buffer)
return 0;
@@ -1995,7 +1997,7 @@
idx = spriv->framebuf_used;
if(idx >= spriv->framebuf_cnt)
{
- spriv->framebuf = (mpeg_frame_t*) realloc(spriv->framebuf, (spriv->framebuf_cnt+1)*sizeof(mpeg_frame_t));
+ spriv->framebuf = (mpeg_frame_t*) realloc_struct(spriv->framebuf, (spriv->framebuf_cnt+1), sizeof(mpeg_frame_t));
if(spriv->framebuf == NULL)
{
mp_msg(MSGT_MUXER, MSGL_FATAL, "Couldn't realloc frame buffer(idx), abort\n");
@@ -2018,6 +2020,11 @@
if(spriv->framebuf[idx].alloc_size < spriv->framebuf[idx].size + len)
{
+ if(spriv->framebuf[idx].size > SIZE_MAX - (size_t)len)
+ {
+ mp_msg(MSGT_MUXER, MSGL_FATAL, "Size overflow, couldn't realloc frame buffer(frame), abort\n");
+ return -1;
+ }
spriv->framebuf[idx].buffer = realloc(spriv->framebuf[idx].buffer, spriv->framebuf[idx].size + len);
if(spriv->framebuf[idx].buffer == NULL)
{
@@ -2329,6 +2336,11 @@
if(s->b_buffer_size - s->b_buffer_len < len)
{
+ if(s->b_buffer_len > SIZE_MAX - len)
+ {
+ mp_msg(MSGT_MUXER, MSGL_FATAL, "\nFATAL! couldn't realloc, integer overflow\n");
+ return;
+ }
s->b_buffer = realloc(s->b_buffer, len + s->b_buffer_len);
if(s->b_buffer == NULL)
{
Modified: trunk/libmpdemux/stream.c
==============================================================================
--- trunk/libmpdemux/stream.c (original)
+++ trunk/libmpdemux/stream.c Mon Jun 5 00:41:27 2006
@@ -354,7 +354,11 @@
}
stream_t* new_memory_stream(unsigned char* data,int len){
- stream_t *s=malloc(sizeof(stream_t)+len);
+ stream_t *s;
+
+ if(len < 0)
+ return NULL;
+ s=malloc(sizeof(stream_t)+len);
memset(s,0,sizeof(stream_t));
s->fd=-1;
s->type=STREAMTYPE_MEMORY;
Modified: trunk/libmpdemux/stream_livedotcom.c
==============================================================================
--- trunk/libmpdemux/stream_livedotcom.c (original)
+++ trunk/libmpdemux/stream_livedotcom.c Mon Jun 5 00:41:27 2006
@@ -78,6 +78,8 @@
lseek(f,0,SEEK_SET);
if(len == -1)
return STREAM_ERROR;
+ if(len > SIZE_MAX - 1)
+ return STREAM_ERROR;
sdpDescription = (char*)malloc(len+1);
if(sdpDescription == NULL) return STREAM_ERROR;
Modified: trunk/libmpdemux/tvi_v4l.c
==============================================================================
--- trunk/libmpdemux/tvi_v4l.c (original)
+++ trunk/libmpdemux/tvi_v4l.c Mon Jun 5 00:41:27 2006
@@ -568,7 +568,7 @@
}
mp_msg(MSGT_TV, MSGL_INFO, " Inputs: %d\n", priv->capability.channels);
- priv->channels = (struct video_channel *)malloc(sizeof(struct video_channel)*priv->capability.channels);
+ priv->channels = (struct video_channel *)calloc(priv->capability.channels, sizeof(struct video_channel));
if (!priv->channels)
goto malloc_failed;
memset(priv->channels, 0, sizeof(struct video_channel)*priv->capability.channels);
@@ -621,7 +621,7 @@
priv->nbuf = priv->mbuf.frames;
/* video buffers */
- priv->buf = (struct video_mmap *)malloc(priv->nbuf * sizeof(struct video_mmap));
+ priv->buf = (struct video_mmap *)calloc(priv->nbuf, sizeof(struct video_mmap));
if (!priv->buf)
goto malloc_failed;
memset(priv->buf, 0, priv->nbuf * sizeof(struct video_mmap));
@@ -856,13 +856,13 @@
if (!tv_param_noaudio) {
setup_audio_buffer_sizes(priv);
bytes_per_sample = priv->audio_in.bytes_per_sample;
- priv->audio_skew_buffer = (long long*)malloc(sizeof(long long)*priv->aud_skew_cnt);
+ priv->audio_skew_buffer = (long long*)calloc(priv->aud_skew_cnt, sizeof(long long));
if (!priv->audio_skew_buffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate skew buffer: %s\n", strerror(errno));
return 0;
}
- priv->audio_ringbuffer = (unsigned char*)malloc(priv->audio_in.blocksize*priv->audio_buffer_size);
+ priv->audio_ringbuffer = (unsigned char*)calloc(priv->audio_in.blocksize, priv->audio_buffer_size);
if (!priv->audio_ringbuffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate audio buffer: %s\n", strerror(errno));
return 0;
@@ -900,7 +900,7 @@
priv->video_buffer_size_max,
priv->video_buffer_size_max*priv->height*priv->bytesperline/(1024*1024));
- priv->video_ringbuffer = (unsigned char**)malloc(priv->video_buffer_size_max*sizeof(unsigned char*));
+ priv->video_ringbuffer = (unsigned char**)calloc(priv->video_buffer_size_max, sizeof(unsigned char*));
if (!priv->video_ringbuffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate video buffer: %s\n", strerror(errno));
return 0;
@@ -908,7 +908,7 @@
for (i = 0; i < priv->video_buffer_size_max; i++)
priv->video_ringbuffer[i] = NULL;
- priv->video_timebuffer = (long long*)malloc(sizeof(long long) * priv->video_buffer_size_max);
+ priv->video_timebuffer = (long long*)calloc(priv->video_buffer_size_max, sizeof(long long));
if (!priv->video_timebuffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate time buffer: %s\n", strerror(errno));
return 0;
@@ -1569,7 +1569,7 @@
pthread_mutex_lock(&priv->video_buffer_mutex);
if (priv->video_buffer_size_current < priv->video_buffer_size_max) {
if (priv->video_cnt == priv->video_buffer_size_current) {
- unsigned char *newbuf = (unsigned char*)malloc(priv->bytesperline * priv->height);
+ unsigned char *newbuf = (unsigned char*)calloc(priv->bytesperline, priv->height);
if (newbuf) {
memmove(priv->video_ringbuffer+priv->video_tail+1, priv->video_ringbuffer+priv->video_tail,
(priv->video_buffer_size_current-priv->video_tail)*sizeof(unsigned char *));
Modified: trunk/libmpdemux/tvi_v4l2.c
==============================================================================
--- trunk/libmpdemux/tvi_v4l2.c (original)
+++ trunk/libmpdemux/tvi_v4l2.c Mon Jun 5 00:41:27 2006
@@ -1169,18 +1169,18 @@
if (!tv_param_noaudio) {
setup_audio_buffer_sizes(priv);
- priv->audio_skew_buffer = (long long*)malloc(sizeof(long long)*priv->aud_skew_cnt);
+ priv->audio_skew_buffer = (long long*)calloc(priv->aud_skew_cnt, sizeof(long long));
if (!priv->audio_skew_buffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate skew buffer: %s\n", strerror(errno));
return 0;
}
- priv->audio_skew_delta_buffer = (long long*)malloc(sizeof(long long)*priv->aud_skew_cnt);
+ priv->audio_skew_delta_buffer = (long long*)calloc(priv->aud_skew_cnt, sizeof(long long));
if (!priv->audio_skew_delta_buffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate skew buffer: %s\n", strerror(errno));
return 0;
}
- priv->audio_ringbuffer = (unsigned char*)malloc(priv->audio_in.blocksize*priv->audio_buffer_size);
+ priv->audio_ringbuffer = (unsigned char*)calloc(priv->audio_in.blocksize, priv->audio_buffer_size);
if (!priv->audio_ringbuffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate audio buffer: %s\n", strerror(errno));
return 0;
@@ -1226,14 +1226,14 @@
priv->video_buffer_size_max*priv->format.fmt.pix.height*bytesperline/(1024*1024));
}
- priv->video_ringbuffer = (unsigned char**)malloc(priv->video_buffer_size_max*sizeof(unsigned char*));
+ priv->video_ringbuffer = (unsigned char**)calloc(priv->video_buffer_size_max, sizeof(unsigned char*));
if (!priv->video_ringbuffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate video buffer: %s\n", strerror(errno));
return 0;
}
for (i = 0; i < priv->video_buffer_size_max; i++)
priv->video_ringbuffer[i] = NULL;
- priv->video_timebuffer = (long long*)malloc(sizeof(long long) * priv->video_buffer_size_max);
+ priv->video_timebuffer = (long long*)calloc(priv->video_buffer_size_max, sizeof(long long));
if (!priv->video_timebuffer) {
mp_msg(MSGT_TV, MSGL_ERR, "cannot allocate time buffer: %s\n", strerror(errno));
return 0;
@@ -1261,7 +1261,7 @@
}
/* query buffers */
- if (!(priv->map = malloc(sizeof(struct map) * request.count))) {
+ if (!(priv->map = calloc(request.count, sizeof(struct map)))) {
mp_msg(MSGT_TV, MSGL_ERR, "%s: malloc capture buffers failed: %s\n",
info.short_name, strerror(errno));
return 0;
@@ -1561,7 +1561,7 @@
// for testing purposes only
static void read_doublespeed(priv_t *priv)
{
- char *bufx = (char*)malloc(priv->audio_in.blocksize*2);
+ char *bufx = (char*)calloc(priv->audio_in.blocksize, 2);
short *s;
short *d;
int i;
Modified: trunk/libmpdemux/url.c
==============================================================================
--- trunk/libmpdemux/url.c (original)
+++ trunk/libmpdemux/url.c Mon Jun 5 00:41:27 2006
@@ -9,6 +9,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
+#include <inttypes.h>
#include "url.h"
#include "mp_msg.h"
@@ -24,6 +25,10 @@
if( url==NULL ) return NULL;
+ if (strlen(url) > (SIZE_MAX / 3 - 1)) {
+ mp_msg(MSGT_NETWORK,MSGL_FATAL,MSGTR_MemAllocFailed);
+ goto err_out;
+ }
escfilename=malloc(strlen(url)*3+1);
if (!escfilename ) {
mp_msg(MSGT_NETWORK,MSGL_FATAL,MSGTR_MemAllocFailed);
More information about the MPlayer-cvslog
mailing list