diff options
author | henry <henry@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2005-12-19 19:38:28 +0000 |
---|---|---|
committer | henry <henry@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2005-12-19 19:38:28 +0000 |
commit | c0e54fd248d11f41ac44756b34b47d2054d82465 (patch) | |
tree | 83ea5587981cda6ab1654d6272807d8c6e82c06f /libmpdemux | |
parent | 335f35f2bf4d6fbc7caa9a27e8f8d21f4c937477 (diff) | |
download | mpv-c0e54fd248d11f41ac44756b34b47d2054d82465.tar.bz2 mpv-c0e54fd248d11f41ac44756b34b47d2054d82465.tar.xz |
malloc padding to avoid access beyond allocated memory
Credits to Mikulas Patocka (mikulas at artax karlin mff cuni cz)
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@17227 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux')
-rw-r--r-- | libmpdemux/demux_asf.c | 8 | ||||
-rw-r--r-- | libmpdemux/demux_real.c | 9 | ||||
-rw-r--r-- | libmpdemux/demux_viv.c | 9 | ||||
-rw-r--r-- | libmpdemux/video.c | 39 |
4 files changed, 50 insertions, 15 deletions
diff --git a/libmpdemux/demux_asf.c b/libmpdemux/demux_asf.c index ae1d9df77d..32d520ba6a 100644 --- a/libmpdemux/demux_asf.c +++ b/libmpdemux/demux_asf.c @@ -62,6 +62,11 @@ static void asf_descrambling(unsigned char **src,int len){ *src = dst; } +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif static int demux_asf_read_packet(demuxer_t *demux,unsigned char *data,int len,int id,int seq,unsigned long time,unsigned short dur,int offs,int keyframe){ demux_stream_t *ds=NULL; @@ -106,8 +111,9 @@ static int demux_asf_read_packet(demuxer_t *demux,unsigned char *data,int len,in // append data to it! demux_packet_t* dp=ds->asf_packet; if(dp->len!=offs && offs!=-1) mp_msg(MSGT_DEMUX,MSGL_V,"warning! fragment.len=%d BUT next fragment offset=%d \n",dp->len,offs); - dp->buffer=realloc(dp->buffer,dp->len+len); + dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE); memcpy(dp->buffer+dp->len,data,len); + memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE); mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len); dp->len+=len; // we are ready now. diff --git a/libmpdemux/demux_real.c b/libmpdemux/demux_real.c index 0d6ce85a75..5348c06b19 100644 --- a/libmpdemux/demux_real.c +++ b/libmpdemux/demux_real.c @@ -32,6 +32,12 @@ Video codecs: (supported by RealPlayer8 for Linux) #include "stheader.h" #include "bswap.h" +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif + //#define mp_dbg(mod,lev, args... ) mp_msg_c((mod<<8)|lev, ## args ) #define MKTAG(a, b, c, d) (a | (b << 8) | (c << 16) | (d << 24)) @@ -921,7 +927,8 @@ got_video: // increase buffer size, this should not happen! mp_msg(MSGT_DEMUX,MSGL_WARN, "chunktab buffer too small!!!!!\n"); dp->len=dp_hdr->chunktab+8*(4+dp_hdr->chunks); - dp->buffer=realloc(dp->buffer,dp->len); + dp->buffer=realloc(dp->buffer,dp->len+FF_INPUT_BUFFER_PADDING_SIZE); + memset(dp->buffer + dp->len, 0, FF_INPUT_BUFFER_PADDING_SIZE); // re-calc pointers: dp_hdr=(dp_hdr_t*)dp->buffer; dp_data=dp->buffer+sizeof(dp_hdr_t); diff --git a/libmpdemux/demux_viv.c b/libmpdemux/demux_viv.c index cc8823017d..910a724225 100644 --- a/libmpdemux/demux_viv.c +++ b/libmpdemux/demux_viv.c @@ -15,6 +15,12 @@ #include "stheader.h" #include "bswap.h" +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif + /* parameters ! */ int vivo_param_version = -1; char *vivo_param_acodec = NULL; @@ -379,7 +385,8 @@ static int demux_vivo_fill_buffer(demuxer_t *demux, demux_stream_t *dsds){ } else { // append data to it! demux_packet_t* dp=ds->asf_packet; - dp->buffer=realloc(dp->buffer,dp->len+len); + dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE); + memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE); //memcpy(dp->buffer+dp->len,data,len); stream_read(demux->stream,dp->buffer+dp->len,len); mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len); diff --git a/libmpdemux/video.c b/libmpdemux/video.c index 0c73bc7774..f6bc1724f7 100644 --- a/libmpdemux/video.c +++ b/libmpdemux/video.c @@ -22,6 +22,12 @@ /* sub_cc (closed captions)*/ #include "sub_cc.h" +#ifdef USE_LIBAVCODEC +#include "avcodec.h" +#else +#define FF_INPUT_BUFFER_PADDING_SIZE 8 +#endif + /* biCompression constant */ #define BI_RGB 0L @@ -132,10 +138,13 @@ switch(video_codec){ } } mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n"); - if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE); - if(!videobuffer){ - mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); - return 0; + if(!videobuffer) { + videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); + if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); + else { + mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); + return 0; + } } mp_msg(MSGT_DECVIDEO,MSGL_V,"Searching for Video Object Layer Start code... ");fflush(stdout); while(1){ @@ -222,10 +231,13 @@ switch(video_codec){ } } mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n"); - if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE); - if(!videobuffer){ - mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); - return 0; + if(!videobuffer) { + videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); + if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); + else { + mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); + return 0; + } } pos = videobuf_len+4; if(!read_video_packet(d_video)){ @@ -280,10 +292,13 @@ switch(video_codec){ // sh_video=d_video->sh;sh_video->ds=d_video; // mpeg2_init(); // ========= Read & process sequence header & extension ============ - if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE); - if(!videobuffer){ - mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); - return 0; + if(!videobuffer) { + videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); + if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE); + else { + mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail); + return 0; + } } if(!read_video_packet(d_video)){ |