diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2016-09-09 10:26:15 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-09-28 17:11:52 +0200 |
| commit | d669b7f4f6e8bfe4db5501c7f1d95bdae84f1f1f (patch) | |
| tree | aaf23aaa77136210947ab03a19ec9fef8956d3e9 | |
| parent | 9259b7f38e008720096532cd4e666a9889f3c578 (diff) | |
| download | ffmpeg-d669b7f4f6e8bfe4db5501c7f1d95bdae84f1f1f.tar.gz | |
avcodec/ccaption_dec: Use simple array instead of AVBuffer
This is simpler and fixes an out of array read, fixing it with AVBuffers
would be more complex
Fixes: e00d9e6e50e5495cc93fea41147b97bb/asan_heap-oob_12dcdbb_8798_b32a97ea722dd37bb5066812cc674552.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 752e6dfa3ea97e7901870bdd9e5a51f860607240)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/ccaption_dec.c | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c index 790f0718fd..4b42dbc5db 100644 --- a/libavcodec/ccaption_dec.c +++ b/libavcodec/ccaption_dec.c @@ -135,7 +135,8 @@ typedef struct CCaptionSubContext { int64_t last_real_time; char prev_cmd[2]; /* buffer to store pkt data */ - AVBufferRef *pktbuf; + uint8_t *pktbuf; + int pktbuf_size; } CCaptionSubContext; @@ -160,11 +161,7 @@ static av_cold int init_decoder(AVCodecContext *avctx) if (ret < 0) { return ret; } - /* allocate pkt buffer */ - ctx->pktbuf = av_buffer_alloc(128); - if (!ctx->pktbuf) { - ret = AVERROR(ENOMEM); - } + return ret; } @@ -172,7 +169,8 @@ static av_cold int close_decoder(AVCodecContext *avctx) { CCaptionSubContext *ctx = avctx->priv_data; av_bprint_finalize(&ctx->buffer, NULL); - av_buffer_unref(&ctx->pktbuf); + av_freep(&ctx->pktbuf); + ctx->pktbuf_size = 0; return 0; } @@ -578,16 +576,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp int ret = 0; int i; - if (ctx->pktbuf->size < len) { - ret = av_buffer_realloc(&ctx->pktbuf, len); - if (ret < 0) { - av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size); - len = ctx->pktbuf->size; - ret = 0; - } + av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len); + if (!ctx->pktbuf) { + av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size); + return AVERROR(ENOMEM); } - memcpy(ctx->pktbuf->data, avpkt->data, len); - bptr = ctx->pktbuf->data; + memcpy(ctx->pktbuf, avpkt->data, len); + bptr = ctx->pktbuf; for (i = 0; i < len; i += 3) { uint8_t cc_type = *(bptr + i) & 3; |