diff options
author | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2006-06-04 22:41:27 +0000 |
---|---|---|
committer | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2006-06-04 22:41:27 +0000 |
commit | 9da93175794398fefeb45c6c53abdcdeda325101 (patch) | |
tree | 1dad782a7785b845d9bfc950631e91c01369154b /libmpdemux/demux_mov.c | |
parent | b4ddc383ef4e4d537417999e390ab90631e7b6aa (diff) | |
download | mpv-9da93175794398fefeb45c6c53abdcdeda325101.tar.bz2 mpv-9da93175794398fefeb45c6c53abdcdeda325101.tar.xz |
Fix potential integer overflows in memory allocation.
Patch by Rich and me
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@18559 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux/demux_mov.c')
-rw-r--r-- | libmpdemux/demux_mov.c | 13 |
1 files changed, 2 insertions, 11 deletions
diff --git a/libmpdemux/demux_mov.c b/libmpdemux/demux_mov.c index 9835f80b0d..84cf5683b4 100644 --- a/libmpdemux/demux_mov.c +++ b/libmpdemux/demux_mov.c @@ -145,16 +145,6 @@ typedef struct { void* desc; // image/sound/etc description (pointer to ImageDescription etc) } mov_track_t; -#ifndef SIZE_MAX -#define SIZE_MAX ((size_t)-1) -#endif - -void *realloc_struct(void *ptr, size_t nmemb, size_t size) { - if (nmemb > SIZE_MAX / size) - return NULL; - return realloc(ptr, nmemb * size); -} - void mov_build_index(mov_track_t* trak,int timescale){ int i,j,s; int last=trak->chunks_size; @@ -166,6 +156,7 @@ void mov_build_index(mov_track_t* trak,int timescale){ mp_msg(MSGT_DEMUX, MSGL_WARN, "No chunk offset table, trying to build one!\n"); trak->chunks_size = trak->samples_size; /* XXX: FIXME ! */ + // audit: this code will be vulnerable if it is reenabled (currently #if 0) trak->chunks = realloc(trak->chunks, sizeof(mov_chunk_t)*trak->chunks_size); for (i=0; i < trak->chunks_size; i++) @@ -1278,7 +1269,7 @@ static void lschunks(demuxer_t* demuxer,int level,off_t endpos,mov_track_t* trak z_stream zstrm; stream_t* backup; - if (moov_sz > 0xffffffff - 16) { + if (moov_sz > SIZE_MAX - 16) { mp_msg(MSGT_DEMUX, MSGL_ERR, "Invalid cmvd atom size %d\n", moov_sz); break; } |