From 38b55f8cef78560037ec19c167ee6ec8745091b9 Mon Sep 17 00:00:00 2001
From: Uoti Urpala <uau@mplayer2.org>
Date: Sat, 18 Jun 2011 19:55:13 +0300
Subject: demux: pad even 0-size demux packet data (fixes sd_ass crash)

sd_ass relies on there being a zero byte after packet data. However
the packet allocation routines special-cased data length 0 and left
the data pointer as NULL in that case. This could cause a crash in
sd_ass if there was an empty subtitle packet. Change the allocation
routines to stop special-casing empty data and always allocate
padding. Empty packets are not so common that special casing them
would be a worthwhile optimization.

Also fix resize_demux_packet() to use MP_INPUT_BUFFER_PADDING SIZE as
the padding size, instead of a hardcoded value of 8.
---
 libmpdemux/demuxer.c | 27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

(limited to 'libmpdemux')

diff --git a/libmpdemux/demuxer.c b/libmpdemux/demuxer.c
index d441ac2863..f879938bfc 100644
--- a/libmpdemux/demuxer.c
+++ b/libmpdemux/demuxer.c
@@ -195,14 +195,12 @@ struct demux_packet *new_demux_packet(size_t len)
     dp->refcount = 1;
     dp->master = NULL;
     dp->buffer = NULL;
-    if (len > 0) {
-        dp->buffer = malloc(len + MP_INPUT_BUFFER_PADDING_SIZE);
-        if (!dp->buffer) {
-            mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n");
-            abort();
-        }
-        memset(dp->buffer + len, 0, 8);
+    dp->buffer = malloc(len + MP_INPUT_BUFFER_PADDING_SIZE);
+    if (!dp->buffer) {
+        mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n");
+        abort();
     }
+    memset(dp->buffer + len, 0, 8);
     return dp;
 }
 
@@ -213,17 +211,12 @@ void resize_demux_packet(struct demux_packet *dp, size_t len)
                "over 1 GB!\n");
         abort();
     }
-    if (len > 0) {
-        dp->buffer = realloc(dp->buffer, len + 8);
-        if (!dp->buffer) {
-            mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n");
-            abort();
-        }
-        memset(dp->buffer + len, 0, 8);
-    } else {
-        free(dp->buffer);
-        dp->buffer = NULL;
+    dp->buffer = realloc(dp->buffer, len + MP_INPUT_BUFFER_PADDING_SIZE);
+    if (!dp->buffer) {
+        mp_msg(MSGT_DEMUXER, MSGL_FATAL, "Memory allocation failure!\n");
+        abort();
     }
+    memset(dp->buffer + len, 0, 8);
     dp->len = len;
 }
 
-- 
cgit v1.2.3