aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCarl Eugen Hoyos <ceffmpeg@gmail.com>2017-12-31 22:30:57 +0100
committerCarl Eugen Hoyos <ceffmpeg@gmail.com>2018-01-01 22:27:29 +0100
commit1112ba012df38d486694154b03f5007341f43b24 (patch)
treef95fc483b854940668ee9ff52fa2f33c0f03ee03
parent9f7dbaad7e36e11237ab76ed5e1932af7dfd2df2 (diff)
downloadffmpeg-1112ba012df38d486694154b03f5007341f43b24.tar.gz
lavf/mov: Use av_fast_realloc() in mov_read_stts().
Avoids large allocations for short files with invalid stts entry. Fixes bugzilla 1102.
-rw-r--r--libavformat/mov.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 20644734dc..22faecfc17 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2830,7 +2830,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
AVStream *st;
MOVStreamContext *sc;
- unsigned int i, entries;
+ unsigned int i, entries, alloc_size = 0;
int64_t duration=0;
int64_t total_sample_count=0;
@@ -2848,15 +2848,24 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (sc->stts_data)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STTS atom\n");
- av_free(sc->stts_data);
+ av_freep(&sc->stts_data);
sc->stts_count = 0;
- sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data));
- if (!sc->stts_data)
+ if (entries >= INT_MAX / sizeof(*sc->stts_data))
return AVERROR(ENOMEM);
for (i = 0; i < entries && !pb->eof_reached; i++) {
int sample_duration;
unsigned int sample_count;
+ unsigned min_entries = FFMIN(FFMAX(i, 1024 * 1024), entries);
+ MOVStts *stts_data = av_fast_realloc(sc->stts_data, &alloc_size,
+ min_entries * sizeof(*sc->stts_data));
+ if (!stts_data) {
+ av_freep(&sc->stts_data);
+ sc->stts_count = 0;
+ return AVERROR(ENOMEM);
+ }
+ sc->stts_count = min_entries;
+ sc->stts_data = stts_data;
sample_count=avio_rb32(pb);
sample_duration = avio_rb32(pb);