From b53497a403d0b1453e35f02a157542f67e0c7374 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sun, 4 Aug 2013 23:21:50 +0200 Subject: demux_lavf: fix API usage avio_alloc_context() is documented to require an av_malloc'ed buffer. It appears libavformat can even reallocate the buffer while it is probing, so passing a static buffer can in theory lead to crashes. I couldn't reproduce such a crash, but apparently it happened to mplayer-svn. This commit follows the mplayer fix in svn commit r36397. --- demux/demux_lavf.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'demux') diff --git a/demux/demux_lavf.c b/demux/demux_lavf.c index 21b1cf8624..11e17f949f 100644 --- a/demux/demux_lavf.c +++ b/demux/demux_lavf.c @@ -76,7 +76,6 @@ typedef struct lavf_priv { AVInputFormat *avif; AVFormatContext *avfc; AVIOContext *pb; - uint8_t buffer[BIO_BUFFER_SIZE]; int64_t last_pts; struct sh_stream **streams; // NULL for unknown streams int num_streams; @@ -571,8 +570,15 @@ static int demux_open_lavf(demuxer_t *demuxer, enum demux_check check) if (!(priv->avif->flags & AVFMT_NOFILE) && demuxer->stream->type != STREAMTYPE_AVDEVICE) { - priv->pb = avio_alloc_context(priv->buffer, BIO_BUFFER_SIZE, 0, + void *buffer = av_malloc(BIO_BUFFER_SIZE); + if (!buffer) + return -1; + priv->pb = avio_alloc_context(buffer, BIO_BUFFER_SIZE, 0, demuxer, mp_read, NULL, mp_seek); + if (!priv->pb) { + av_free(buffer); + return -1; + } priv->pb->read_seek = mp_read_seek; priv->pb->seekable = demuxer->stream->end_pos && (demuxer->stream->flags & MP_STREAM_SEEK) == MP_STREAM_SEEK @@ -970,6 +976,8 @@ static void demux_close_lavf(demuxer_t *demuxer) av_freep(&priv->avfc->key); avformat_close_input(&priv->avfc); } + if (priv->pb) + av_freep(&priv->pb->buffer); av_freep(&priv->pb); talloc_free(priv); demuxer->priv = NULL; -- cgit v1.2.3