[MPlayer-dev-eng] [PATCH] crash in mp_dvdnav_save_smpi

Gianluigi Tiesi mplayer at netfarm.it
Mon Jun 13 04:41:02 CEST 2011


On Sun, Jun 12, 2011 at 11:23:24AM +0200, Reimar Döffinger wrote:
> On Thu, Jun 09, 2011 at 03:16:21AM +0200, Gianluigi Tiesi wrote:
> > I'm not sure what's changed in last times, but when using dvdnav://
> > seeking causes mplayer to crash
> 
> I can't reproduce, can you give any details?

- insert a dvd
- mplayer dvdnav://
- wait the menu to show up
- left arrow to seek

> 
> > in update_video() there are multiple checks for in_size > 0
> > so the only function can put back in_size to -1 is mp_dvdnav_restore_smpi
> > 
> > the problem is that when seeking mp_dvdnav_save_smpi()
> > gets called with -1 as size so it mallocs -1 and memcpy -1 (wrap to maxuint)
> 
> On a 32 bit system such a malloc should fail, thus skipping
> the memcpy. Is this on a 64 bit system?

Yes, I have xp64 but many users reported me the problem

I wrap malloc(size) so the final code is:

p0 = HeapAlloc (GetProcessHeap(), 0, size + (16 + sizeof (void *)));

if (!p0)
    return ((void *) 0);

according to msdn:
size is unsigned long
dwBytes must be less than 0x7FFF8

Return Value:
If the function fails and you have not specified HEAP_GENERATE_EXCEPTIONS, the return value is NULL.

I don't known because it returns non null, but maybe is not so safe to pass -1 to malloc()
since it may be undefined on some platforms

Regards

-- 
Gianluigi Tiesi <sherpya at netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/


More information about the MPlayer-dev-eng mailing list