diff options
| author | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2006-06-04 22:41:27 +0000 |
|---|---|---|
| committer | rtogni <rtogni@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2006-06-04 22:41:27 +0000 |
| commit | 9da93175794398fefeb45c6c53abdcdeda325101 (patch) | |
| tree | 1dad782a7785b845d9bfc950631e91c01369154b /libmpdemux/muxer_mpeg.c | |
| parent | b4ddc383ef4e4d537417999e390ab90631e7b6aa (diff) | |
| download | mpv-9da93175794398fefeb45c6c53abdcdeda325101.tar.bz2 mpv-9da93175794398fefeb45c6c53abdcdeda325101.tar.xz | |
Fix potential integer overflows in memory allocation.
Patch by Rich and me
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@18559 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux/muxer_mpeg.c')
| -rw-r--r-- | libmpdemux/muxer_mpeg.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/libmpdemux/muxer_mpeg.c b/libmpdemux/muxer_mpeg.c index 40609ae2b3..b016f1db21 100644 --- a/libmpdemux/muxer_mpeg.c +++ b/libmpdemux/muxer_mpeg.c @@ -1976,6 +1976,8 @@ static int fill_last_frame(muxer_headers_t *spriv, uint8_t *ptr, int len) if(spriv->framebuf[idx].alloc_size < spriv->framebuf[idx].size + len) { + if(spriv->framebuf[idx].size > SIZE_MAX - (size_t)len) + return 0; spriv->framebuf[idx].buffer = (uint8_t*) realloc(spriv->framebuf[idx].buffer, spriv->framebuf[idx].size + len); if(! spriv->framebuf[idx].buffer) return 0; @@ -1995,7 +1997,7 @@ static int add_frame(muxer_headers_t *spriv, uint64_t idur, uint8_t *ptr, int le idx = spriv->framebuf_used; if(idx >= spriv->framebuf_cnt) { - spriv->framebuf = (mpeg_frame_t*) realloc(spriv->framebuf, (spriv->framebuf_cnt+1)*sizeof(mpeg_frame_t)); + spriv->framebuf = (mpeg_frame_t*) realloc_struct(spriv->framebuf, (spriv->framebuf_cnt+1), sizeof(mpeg_frame_t)); if(spriv->framebuf == NULL) { mp_msg(MSGT_MUXER, MSGL_FATAL, "Couldn't realloc frame buffer(idx), abort\n"); @@ -2018,6 +2020,11 @@ static int add_frame(muxer_headers_t *spriv, uint64_t idur, uint8_t *ptr, int le if(spriv->framebuf[idx].alloc_size < spriv->framebuf[idx].size + len) { + if(spriv->framebuf[idx].size > SIZE_MAX - (size_t)len) + { + mp_msg(MSGT_MUXER, MSGL_FATAL, "Size overflow, couldn't realloc frame buffer(frame), abort\n"); + return -1; + } spriv->framebuf[idx].buffer = realloc(spriv->framebuf[idx].buffer, spriv->framebuf[idx].size + len); if(spriv->framebuf[idx].buffer == NULL) { @@ -2329,6 +2336,11 @@ static void mpegfile_write_chunk(muxer_stream_t *s,size_t len,unsigned int flags if(s->b_buffer_size - s->b_buffer_len < len) { + if(s->b_buffer_len > SIZE_MAX - len) + { + mp_msg(MSGT_MUXER, MSGL_FATAL, "\nFATAL! couldn't realloc, integer overflow\n"); + return; + } s->b_buffer = realloc(s->b_buffer, len + s->b_buffer_len); if(s->b_buffer == NULL) { |