diff options
author | Carl Eugen Hoyos <ceffmpeg@gmail.com> | 2017-12-31 22:30:57 +0100 |
---|---|---|
committer | Carl Eugen Hoyos <ceffmpeg@gmail.com> | 2018-01-01 22:27:29 +0100 |
commit | 1112ba012df38d486694154b03f5007341f43b24 (patch) | |
tree | f95fc483b854940668ee9ff52fa2f33c0f03ee03 | |
parent | 9f7dbaad7e36e11237ab76ed5e1932af7dfd2df2 (diff) | |
download | ffmpeg-1112ba012df38d486694154b03f5007341f43b24.tar.gz |
lavf/mov: Use av_fast_realloc() in mov_read_stts().
Avoids large allocations for short files with invalid stts entry.
Fixes bugzilla 1102.
-rw-r--r-- | libavformat/mov.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 20644734dc..22faecfc17 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2830,7 +2830,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; MOVStreamContext *sc; - unsigned int i, entries; + unsigned int i, entries, alloc_size = 0; int64_t duration=0; int64_t total_sample_count=0; @@ -2848,15 +2848,24 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (sc->stts_data) av_log(c->fc, AV_LOG_WARNING, "Duplicated STTS atom\n"); - av_free(sc->stts_data); + av_freep(&sc->stts_data); sc->stts_count = 0; - sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data)); - if (!sc->stts_data) + if (entries >= INT_MAX / sizeof(*sc->stts_data)) return AVERROR(ENOMEM); for (i = 0; i < entries && !pb->eof_reached; i++) { int sample_duration; unsigned int sample_count; + unsigned min_entries = FFMIN(FFMAX(i, 1024 * 1024), entries); + MOVStts *stts_data = av_fast_realloc(sc->stts_data, &alloc_size, + min_entries * sizeof(*sc->stts_data)); + if (!stts_data) { + av_freep(&sc->stts_data); + sc->stts_count = 0; + return AVERROR(ENOMEM); + } + sc->stts_count = min_entries; + sc->stts_data = stts_data; sample_count=avio_rb32(pb); sample_duration = avio_rb32(pb); |