From 2a353381f32c955eee0f2051d34375eba9459e6a Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 19 Nov 2012 00:57:41 +0100 Subject: core: fix crash when video filter returns inf as PTS When a video filter returned inf as PTS, the player crashed. One reason for this was that decode_audio() was called with a negative minlen parameter, which at some point caused it to call a memory allocation function with a ridiculous value, triggering an out of memory code path in talloc.c. (talloc.c has been modified to abort() on out of memory situations.) Fix this by sanity checking minlen in decode_audio(). (The check against outbuf->len always succeeded, because it's an unsigned comparison.) Make an existing sanity check in mplayer.c more robust: check for NaN too, which happens if the video PTS is inf. This happened with "-vf pullup,softpulldown" (but is not triggered when the following commit is applied). --- audio/decode/dec_audio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'audio/decode') diff --git a/audio/decode/dec_audio.c b/audio/decode/dec_audio.c index 1444d39009..9e03371d19 100644 --- a/audio/decode/dec_audio.c +++ b/audio/decode/dec_audio.c @@ -405,7 +405,7 @@ int decode_audio(sh_audio_t *sh_audio, struct bstr *outbuf, int minlen) return -1; max_decode_len -= max_decode_len % unitsize; - while (outbuf->len < minlen) { + while (minlen >=0 && outbuf->len < minlen) { int declen = (minlen - outbuf->len) / filter_multiplier + (unitsize << 5); // some extra for possible filter buffering if (huge_filter_buffer) -- cgit v1.2.3