[MPlayer-users] mplayer shooting to memory
Mikulas Patocka
mikulas at artax.karlin.mff.cuni.cz
Thu Apr 15 00:45:54 CEST 2004
Hi
There's a bug in mplayer causing it to shot to memory:
in demux_audio.c in function demux_audio_open there's code
sh_audio->wf = w = (WAVEFORMATEX*)malloc(l);
and then
w->cbSize = 0;
The structure WAVEFORMATEX has 18 bytes. When l is only 16, this
assignment corrupts heap. The fix is obvious:
--- LIBMPDEMUX/DEMUX_AUDIO.C_ 2004-04-15 00:35:17.000000000 +0100
+++ LIBMPDEMUX/DEMUX_AUDIO.C 2004-04-15 00:37:51.000000000 +0100
@@ -168,7 +168,7 @@
free_sh_audio(sh_audio);
return 0;
}
- sh_audio->wf = w = (WAVEFORMATEX*)malloc(l);
+ sh_audio->wf = w = (WAVEFORMATEX*)malloc(l > sizeof(WAVEFORMATEX) ? l : sizeof(WAVEFORMATEX));
w->wFormatTag = sh_audio->format = stream_read_word_le(s);
w->nChannels = sh_audio->channels = stream_read_word_le(s);
w->nSamplesPerSec = sh_audio->samplerate = stream_read_dword_le(s);
Mikulas
More information about the MPlayer-users
mailing list