handle malloc failures in ff_get_wav_header

ff_get_wav_header is reading data from a WAVE file and then uses it
(without validation) to malloc a buffer. It then proceeded to read
data into the buffer, without verifying that the allocation succeeded.

To address this, change ff_get_wav_header to return an error if
allocation failed, and adapted all calling code to handle that error.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/libavformat/riff.c b/libavformat/riff.c
index 792c206678..c73152d40f 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -480,7 +480,7 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *t
  * WAVEFORMATEX adds 'WORD  cbSize' and basically makes itself
  * an openended structure.
  */
-void ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size)
+int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size)
 {
     int id;
 
@@ -510,6 +510,8 @@ void ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size)
         codec->extradata_size = cbSize;
         if (cbSize > 0) {
             codec->extradata = av_mallocz(codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
+            if (!codec->extradata)
+                return AVERROR(ENOMEM);
             avio_read(pb, codec->extradata, codec->extradata_size);
             size -= cbSize;
         }
@@ -524,6 +526,8 @@ void ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size)
         codec->channels    = 0;
         codec->sample_rate = 0;
     }
+
+    return 0;
 }