[MPlayer-cvslog] r38393 - trunk/libmpdemux/mpeg_hdr.c
reimar
subversion at mplayerhq.hu
Sat Aug 27 11:37:31 EEST 2022
Author: reimar
Date: Sat Aug 27 11:37:31 2022
New Revision: 38393
Log:
mpeg_hdr.c: Allocate 0xff initialized padding.
Avoids SPS parsing overreading the buffer.
Fixes trac issue #2405.
Modified:
trunk/libmpdemux/mpeg_hdr.c
Modified: trunk/libmpdemux/mpeg_hdr.c
==============================================================================
--- trunk/libmpdemux/mpeg_hdr.c Sat Aug 27 11:33:54 2022 (r38392)
+++ trunk/libmpdemux/mpeg_hdr.c Sat Aug 27 11:37:31 2022 (r38393)
@@ -399,7 +399,15 @@ int h264_parse_sps(mp_mpeg_header_t * pi
{
unsigned int n = 0, v, i, k, mbh;
int frame_mbs_only;
- uint8_t *buf = malloc(len);
+ uint8_t *buf;
+ // Sanity check, should not happen in MPlayer due to limited video buffer
+ if (len > 100*1024*1024) len = 100*1024*1024;
+ // Allocate more to allow for overread.
+ // Initialize to 0xff to minimize golomb length
+ // 4kB is more than necessary, but calculating the exact
+ // value or adding more range checks is more pain than worth it.
+ buf = malloc(len + 4096);
+ memset(buf, 0xff, len + 4096);
len = mp_unescape03(buf, inbuf, len);
More information about the MPlayer-cvslog
mailing list