diff options
author | Uoti Urpala <uau@mplayer2.org> | 2011-06-18 19:55:13 +0300 |
---|---|---|
committer | Uoti Urpala <uau@mplayer2.org> | 2011-06-18 20:02:39 +0300 |
commit | 38b55f8cef78560037ec19c167ee6ec8745091b9 (patch) | |
tree | 0941808788314c4728c2e17a065e23431cd540ea /libmpdemux | |
parent | 6d187a73f0a56c79d73831eb90bf9a38e98dba6b (diff) | |
download | mpv-38b55f8cef78560037ec19c167ee6ec8745091b9.tar.bz2 mpv-38b55f8cef78560037ec19c167ee6ec8745091b9.tar.xz |
demux: pad even 0-size demux packet data (fixes sd_ass crash)
sd_ass relies on there being a zero byte after packet data. However
the packet allocation routines special-cased data length 0 and left
the data pointer as NULL in that case. This could cause a crash in
sd_ass if there was an empty subtitle packet. Change the allocation
routines to stop special-casing empty data and always allocate
padding. Empty packets are not so common that special casing them
would be a worthwhile optimization.
Also fix resize_demux_packet() to use MP_INPUT_BUFFER_PADDING SIZE as
the padding size, instead of a hardcoded value of 8.
Diffstat (limited to 'libmpdemux')
-rw-r--r-- | libmpdemux/demuxer.c | 27 |
1 files changed, 10 insertions, 17 deletions
diff --git a/libmpdemux/demuxer.c b/libmpdemux/demuxer.c index d441ac2863..f879938bfc 100644 --- a/libmpdemux/demuxer.c +++ b/libmpdemux/demuxer.c @@ -195,14 +195,12 @@ struct demux_packet *new_demux_packet(size_t len) dp->refcount = 1; dp->master = NULL; dp->buffer = NULL; - if (len > 0) { - dp->buffer = malloc(len + MP_INPUT_BUFFER_PADDING_SIZE); - if (!dp->buffer) { - mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n"); - abort(); - } - memset(dp->buffer + len, 0, 8); + dp->buffer = malloc(len + MP_INPUT_BUFFER_PADDING_SIZE); + if (!dp->buffer) { + mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n"); + abort(); } + memset(dp->buffer + len, 0, 8); return dp; } @@ -213,17 +211,12 @@ void resize_demux_packet(struct demux_packet *dp, size_t len) "over 1 GB!\n"); abort(); } - if (len > 0) { - dp->buffer = realloc(dp->buffer, len + 8); - if (!dp->buffer) { - mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n"); - abort(); - } - memset(dp->buffer + len, 0, 8); - } else { - free(dp->buffer); - dp->buffer = NULL; + dp->buffer = realloc(dp->buffer, len + MP_INPUT_BUFFER_PADDING_SIZE); + if (!dp->buffer) { + mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n"); + abort(); } + memset(dp->buffer + len, 0, 8); dp->len = len; } |