RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-19 09:38:13 +00:00
Code Issues Projects Releases Wiki Activity

Sanitize av_realloc() use in h264 mp4toannexb bistream filter.

Browse Source 
Originally committed as revision 23557 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Benoit Fouet 2010-06-10 05:59:22 +00:00
parent 25e25617f6
commit 639c697c4f
1 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
libavcodec/h264_mp4toannexb_bsf.c
View File

@ -28,14 +28,18 @@ typedef struct H264BSFContext {
int extradata_parsed; int extradata_parsed;
} H264BSFContext; } H264BSFContext;
static void alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size, static int alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size,
const uint8_t *sps_pps, uint32_t sps_pps_size, const uint8_t *sps_pps, uint32_t sps_pps_size,
const uint8_t *in, uint32_t in_size) { const uint8_t *in, uint32_t in_size) {
uint32_t offset = *poutbuf_size; uint32_t offset = *poutbuf_size;
uint8_t nal_header_size = offset ? 3 : 4; uint8_t nal_header_size = offset ? 3 : 4;
void *tmp;
*poutbuf_size += sps_pps_size+in_size+nal_header_size; *poutbuf_size += sps_pps_size+in_size+nal_header_size;
*poutbuf = av_realloc(*poutbuf, *poutbuf_size); tmp = av_realloc(*poutbuf, *poutbuf_size);
if (!tmp)
return AVERROR(ENOMEM);
*poutbuf = tmp;
if (sps_pps) if (sps_pps)
memcpy(*poutbuf+offset, sps_pps, sps_pps_size); memcpy(*poutbuf+offset, sps_pps, sps_pps_size);
memcpy(*poutbuf+sps_pps_size+nal_header_size+offset, in, in_size); memcpy(*poutbuf+sps_pps_size+nal_header_size+offset, in, in_size);
@ -45,6 +49,8 @@ static void alloc_and_copy(uint8_t **poutbuf, int *poutbuf_size,
(*poutbuf+offset+sps_pps_size)[0] = (*poutbuf+offset+sps_pps_size)[1] = 0; (*poutbuf+offset+sps_pps_size)[0] = (*poutbuf+offset+sps_pps_size)[1] = 0;
(*poutbuf+offset+sps_pps_size)[2] = 1; (*poutbuf+offset+sps_pps_size)[2] = 1;
} }
return 0;
} }
static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
@ -85,15 +91,20 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
sps_done++; sps_done++;
} }
while (unit_nb--) { while (unit_nb--) {
void *tmp;
unit_size = AV_RB16(extradata); unit_size = AV_RB16(extradata);
total_size += unit_size+4; total_size += unit_size+4;
if (total_size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE || extradata+2+unit_size > avctx->extradata+avctx->extradata_size) { if (total_size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE || extradata+2+unit_size > avctx->extradata+avctx->extradata_size) {
av_free(out); av_free(out);
return AVERROR(EINVAL); return AVERROR(EINVAL);
} }
out = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE); tmp = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE);
if (!out) if (!tmp) {
av_free(out);
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
}
out = tmp;
memcpy(out+total_size-unit_size-4, nalu_header, 4); memcpy(out+total_size-unit_size-4, nalu_header, 4);
memcpy(out+total_size-unit_size, extradata+2, unit_size); memcpy(out+total_size-unit_size, extradata+2, unit_size);
extradata += 2+unit_size; extradata += 2+unit_size;
@ -131,15 +142,17 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
/* prepend only to the first type 5 NAL unit of an IDR picture */ /* prepend only to the first type 5 NAL unit of an IDR picture */
if (ctx->first_idr && unit_type == 5) { if (ctx->first_idr && unit_type == 5) {
alloc_and_copy(poutbuf, poutbuf_size, if (alloc_and_copy(poutbuf, poutbuf_size,
avctx->extradata, avctx->extradata_size, avctx->extradata, avctx->extradata_size,
buf, nal_size); buf, nal_size) < 0)
goto fail;
ctx->first_idr = 0; ctx->first_idr = 0;
} }
else { else {
alloc_and_copy(poutbuf, poutbuf_size, if (alloc_and_copy(poutbuf, poutbuf_size,
NULL, 0, NULL, 0,
buf, nal_size); buf, nal_size) < 0)
goto fail;
if (!ctx->first_idr && unit_type == 1) if (!ctx->first_idr && unit_type == 1)
ctx->first_idr = 1; ctx->first_idr = 1;
} }