malloc padding to avoid access beyond allocated memory

Credits to Mikulas Patocka (mikulas at artax karlin mff cuni cz)


git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@17227 b3059339-0415-0410-9bf9-f77b7e298cf2

4 files changed, 50 insertions, 15 deletions

diff --git a/libmpdemux/demux_asf.c b/libmpdemux/demux_asf.c
index ae1d9df77d..32d520ba6a 100644
--- a/libmpdemux/demux_asf.c
+++ b/libmpdemux/demux_asf.c
@@ -62,6 +62,11 @@ static void asf_descrambling(unsigned char **src,int len){
   *src = dst;
 }
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
 
 static int demux_asf_read_packet(demuxer_t *demux,unsigned char *data,int len,int id,int seq,unsigned long time,unsigned short dur,int offs,int keyframe){
   demux_stream_t *ds=NULL;
@@ -106,8 +111,9 @@ static int demux_asf_read_packet(demuxer_t *demux,unsigned char *data,int len,in
         // append data to it!
         demux_packet_t* dp=ds->asf_packet;
         if(dp->len!=offs && offs!=-1) mp_msg(MSGT_DEMUX,MSGL_V,"warning! fragment.len=%d BUT next fragment offset=%d  \n",dp->len,offs);
-        dp->buffer=realloc(dp->buffer,dp->len+len);
+        dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
         memcpy(dp->buffer+dp->len,data,len);
+        memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
         mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
         dp->len+=len;
         // we are ready now.
diff --git a/libmpdemux/demux_real.c b/libmpdemux/demux_real.c
index 0d6ce85a75..5348c06b19 100644
--- a/libmpdemux/demux_real.c
+++ b/libmpdemux/demux_real.c
@@ -32,6 +32,12 @@ Video codecs: (supported by RealPlayer8 for Linux)
 #include "stheader.h"
 #include "bswap.h"
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
+
 //#define mp_dbg(mod,lev, args... ) mp_msg_c((mod<<8)|lev, ## args )
 
 #define MKTAG(a, b, c, d) (a | (b << 8) | (c << 16) | (d << 24))
@@ -921,7 +927,8 @@ got_video:
 			    // increase buffer size, this should not happen!
 			    mp_msg(MSGT_DEMUX,MSGL_WARN, "chunktab buffer too small!!!!!\n");
 			    dp->len=dp_hdr->chunktab+8*(4+dp_hdr->chunks);
-			    dp->buffer=realloc(dp->buffer,dp->len);
+			    dp->buffer=realloc(dp->buffer,dp->len+FF_INPUT_BUFFER_PADDING_SIZE);
+			    memset(dp->buffer + dp->len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
 			    // re-calc pointers:
 			    dp_hdr=(dp_hdr_t*)dp->buffer;
 			    dp_data=dp->buffer+sizeof(dp_hdr_t);
diff --git a/libmpdemux/demux_viv.c b/libmpdemux/demux_viv.c
index cc8823017d..910a724225 100644
--- a/libmpdemux/demux_viv.c
+++ b/libmpdemux/demux_viv.c
@@ -15,6 +15,12 @@
 #include "stheader.h"
 #include "bswap.h"
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
+
 /* parameters ! */
 int vivo_param_version = -1;
 char *vivo_param_acodec = NULL;
@@ -379,7 +385,8 @@ static int demux_vivo_fill_buffer(demuxer_t *demux, demux_stream_t *dsds){
       } else {
         // append data to it!
         demux_packet_t* dp=ds->asf_packet;
-        dp->buffer=realloc(dp->buffer,dp->len+len);
+        dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
+        memset(dp->buffer+dp->len+len, 0, FF_INPUT_BUFFER_PADDING_SIZE);
         //memcpy(dp->buffer+dp->len,data,len);
 	stream_read(demux->stream,dp->buffer+dp->len,len);
         mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
diff --git a/libmpdemux/video.c b/libmpdemux/video.c
index 0c73bc7774..f6bc1724f7 100644
--- a/libmpdemux/video.c
+++ b/libmpdemux/video.c
@@ -22,6 +22,12 @@
 /* sub_cc (closed captions)*/
 #include "sub_cc.h"
 
+#ifdef USE_LIBAVCODEC
+#include "avcodec.h"
+#else
+#define FF_INPUT_BUFFER_PADDING_SIZE 8
+#endif
+
 /* biCompression constant */
 #define BI_RGB        0L
 
@@ -132,10 +138,13 @@ switch(video_codec){
       }
    }
    mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n");
-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
-   if(!videobuffer){ 
-     mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
-     return 0;
+   if(!videobuffer) {
+     videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
+     if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+     else {
+       mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
+       return 0;
+     }
    }
    mp_msg(MSGT_DECVIDEO,MSGL_V,"Searching for Video Object Layer Start code... ");fflush(stdout);
    while(1){
@@ -222,10 +231,13 @@ switch(video_codec){
       }
    }
    mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n");
-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
-   if(!videobuffer){ 
-     mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
-     return 0;
+   if(!videobuffer) {
+     videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
+     if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+     else {
+       mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
+       return 0;
+     }
    }
    pos = videobuf_len+4;
    if(!read_video_packet(d_video)){ 
@@ -280,10 +292,13 @@ switch(video_codec){
 //   sh_video=d_video->sh;sh_video->ds=d_video;
 //   mpeg2_init();
    // ========= Read & process sequence header & extension ============
-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
-   if(!videobuffer){ 
-     mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
-     return 0;
+   if(!videobuffer) {
+     videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
+     if (videobuffer) memset(videobuffer+VIDEOBUFFER_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+     else {
+       mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
+       return 0;
+     }
    }
    
    if(!read_video_packet(d_video)){