summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2013-08-04 23:21:50 +0200
committerwm4 <wm4@nowhere>2013-08-04 23:21:50 +0200
commitb53497a403d0b1453e35f02a157542f67e0c7374 (patch)
tree074fce677d8b93e32bf75fa7a69ae38231ec9fe2
parent56fec5ad3ab4d20dac4ee9ef0ef65e10670b7dff (diff)
downloadmpv-b53497a403d0b1453e35f02a157542f67e0c7374.tar.bz2
mpv-b53497a403d0b1453e35f02a157542f67e0c7374.tar.xz
demux_lavf: fix API usage
avio_alloc_context() is documented to require an av_malloc'ed buffer. It appears libavformat can even reallocate the buffer while it is probing, so passing a static buffer can in theory lead to crashes. I couldn't reproduce such a crash, but apparently it happened to mplayer-svn. This commit follows the mplayer fix in svn commit r36397.
-rw-r--r--demux/demux_lavf.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/demux/demux_lavf.c b/demux/demux_lavf.c
index 21b1cf8624..11e17f949f 100644
--- a/demux/demux_lavf.c
+++ b/demux/demux_lavf.c
@@ -76,7 +76,6 @@ typedef struct lavf_priv {
AVInputFormat *avif;
AVFormatContext *avfc;
AVIOContext *pb;
- uint8_t buffer[BIO_BUFFER_SIZE];
int64_t last_pts;
struct sh_stream **streams; // NULL for unknown streams
int num_streams;
@@ -571,8 +570,15 @@ static int demux_open_lavf(demuxer_t *demuxer, enum demux_check check)
if (!(priv->avif->flags & AVFMT_NOFILE) &&
demuxer->stream->type != STREAMTYPE_AVDEVICE)
{
- priv->pb = avio_alloc_context(priv->buffer, BIO_BUFFER_SIZE, 0,
+ void *buffer = av_malloc(BIO_BUFFER_SIZE);
+ if (!buffer)
+ return -1;
+ priv->pb = avio_alloc_context(buffer, BIO_BUFFER_SIZE, 0,
demuxer, mp_read, NULL, mp_seek);
+ if (!priv->pb) {
+ av_free(buffer);
+ return -1;
+ }
priv->pb->read_seek = mp_read_seek;
priv->pb->seekable = demuxer->stream->end_pos
&& (demuxer->stream->flags & MP_STREAM_SEEK) == MP_STREAM_SEEK
@@ -970,6 +976,8 @@ static void demux_close_lavf(demuxer_t *demuxer)
av_freep(&priv->avfc->key);
avformat_close_input(&priv->avfc);
}
+ if (priv->pb)
+ av_freep(&priv->pb->buffer);
av_freep(&priv->pb);
talloc_free(priv);
demuxer->priv = NULL;