aboutsummaryrefslogtreecommitdiffstats
path: root/ffmpeg.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2010-01-23 01:25:19 +0000
committerMichael Niedermayer <michaelni@gmx.at>2010-01-23 01:25:19 +0000
commit7a086a852cca662ceb54d88383d74dd366914dd6 (patch)
tree3d00088d821d0846e10f31d1eb753a97943073c8 /ffmpeg.c
parente62a55b92e1524f12cbf78033383d5a4de90257a (diff)
downloadffmpeg-7a086a852cca662ceb54d88383d74dd366914dd6.tar.gz
Fix heap overflow with -async.
Fixes issue1666 Originally committed as revision 21390 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'ffmpeg.c')
-rw-r--r--ffmpeg.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/ffmpeg.c b/ffmpeg.c
index ef8311f9f6..011b083ce2 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -563,6 +563,7 @@ static void do_audio_out(AVFormatContext *s,
{
uint8_t *buftmp;
int64_t audio_out_size, audio_buf_size;
+ int64_t allocated_for_size= size;
int size_out, frame_bytes, ret;
AVCodecContext *enc= ost->st->codec;
@@ -571,7 +572,8 @@ static void do_audio_out(AVFormatContext *s,
int isize= av_get_bits_per_sample_format(dec->sample_fmt)/8;
const int coded_bps = av_get_bits_per_sample(enc->codec->id);
- audio_buf_size= (size + isize*dec->channels - 1) / (isize*dec->channels);
+need_realloc:
+ audio_buf_size= (allocated_for_size + isize*dec->channels - 1) / (isize*dec->channels);
audio_buf_size= (audio_buf_size*enc->sample_rate + dec->sample_rate) / dec->sample_rate;
audio_buf_size= audio_buf_size*2 + 10000; //safety factors for the deprecated resampling API
audio_buf_size*= osize*enc->channels;
@@ -649,10 +651,11 @@ static void do_audio_out(AVFormatContext *s,
static uint8_t *input_tmp= NULL;
input_tmp= av_realloc(input_tmp, byte_delta + size);
- if(byte_delta + size <= MAX_AUDIO_PACKET_SIZE)
- ist->is_start=0;
- else
- byte_delta= MAX_AUDIO_PACKET_SIZE - size;
+ if(byte_delta > allocated_for_size - size){
+ allocated_for_size= byte_delta + (int64_t)size;
+ goto need_realloc;
+ }
+ ist->is_start=0;
memset(input_tmp, 0, byte_delta);
memcpy(input_tmp + byte_delta, buf, size);