diff options
author | Benoit Fouet <benoit.fouet@free.fr> | 2010-06-10 05:59:22 +0000 |
---|---|---|
committer | Benoit Fouet <benoit.fouet@free.fr> | 2010-06-10 05:59:22 +0000 |
commit | 639c697c4fa192d3b3043523065c1e99bfd5f9fa (patch) | |
tree | c7d7160f3579bb134772893612a920027be7ee7e | |
parent | 25e25617f6fbd9a8f4028fe796199dafae51ae6b (diff) | |
download | ffmpeg-639c697c4fa192d3b3043523065c1e99bfd5f9fa.tar.gz |
Sanitize av_realloc() use in h264 mp4toannexb bistream filter.
Originally committed as revision 23557 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/h264_mp4toannexb_bsf.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index f249b7f971..63653e4b67 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -28,14 +28,18 @@ typedef struct H264BSFContext { int extradata_parsed; } H264BSFContext; -static void alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size, +static int alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size, const uint8_t *sps_pps, uint32_t sps_pps_size, const uint8_t *in, uint32_t in_size) { uint32_t offset = *poutbuf_size; uint8_t nal_header_size = offset ? 3 : 4; + void *tmp; *poutbuf_size += sps_pps_size+in_size+nal_header_size; - *poutbuf = av_realloc(*poutbuf, *poutbuf_size); + tmp = av_realloc(*poutbuf, *poutbuf_size); + if (!tmp) + return AVERROR(ENOMEM); + *poutbuf = tmp; if (sps_pps) memcpy(*poutbuf+offset, sps_pps, sps_pps_size); memcpy(*poutbuf+sps_pps_size+nal_header_size+offset, in, in_size); @@ -45,6 +49,8 @@ static void alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size, (*poutbuf+offset+sps_pps_size)[0] = (*poutbuf+offset+sps_pps_size)[1] = 0; (*poutbuf+offset+sps_pps_size)[2] = 1; } + + return 0; } static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, @@ -85,15 +91,20 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, sps_done++; } while (unit_nb--) { + void *tmp; + unit_size = AV_RB16(extradata); total_size += unit_size+4; if (total_size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE || extradata+2+unit_size > avctx->extradata+avctx->extradata_size) { av_free(out); return AVERROR(EINVAL); } - out = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE); - if (!out) + tmp = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE); + if (!tmp) { + av_free(out); return AVERROR(ENOMEM); + } + out = tmp; memcpy(out+total_size-unit_size-4, nalu_header, 4); memcpy(out+total_size-unit_size, extradata+2, unit_size); extradata += 2+unit_size; @@ -131,15 +142,17 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, /* prepend only to the first type 5 NAL unit of an IDR picture */ if (ctx->first_idr && unit_type == 5) { - alloc_and_copy(poutbuf, poutbuf_size, + if (alloc_and_copy(poutbuf, poutbuf_size, avctx->extradata, avctx->extradata_size, - buf, nal_size); + buf, nal_size) < 0) + goto fail; ctx->first_idr = 0; } else { - alloc_and_copy(poutbuf, poutbuf_size, + if (alloc_and_copy(poutbuf, poutbuf_size, NULL, 0, - buf, nal_size); + buf, nal_size) < 0) + goto fail; if (!ctx->first_idr && unit_type == 1) ctx->first_idr = 1; } |