57d7ee5a36
- jpegdec: Actually search for and parse RSTn. - mpeg4: Adjust dummy frame threshold for packed DivX. - mpeg4: Fix another packed DivX issue. - jpegdec: Better RSTn skiping. - Fix memory corruption in case of memory allocation failure. - cavsdec: Avoid possible crash with crafted input. - rtp: Fix integer underflow that could allow remote code execution. MSVR-11-008 8 - rtpdec_asf: Fix memleak. - mp3dec: Dont spam the user on multiple MP3 frames. - wavpack: Fixed invalid access with corrupted extra bits sub-blocks. - wavpack: Fixed invalid writes with corrupted bitstreams. - wavpack: Fixed invalid access with corrupted bitstream.
28 lines
1.1 KiB
Plaintext
28 lines
1.1 KiB
Plaintext
$OpenBSD: patch-libavformat_utils_c,v 1.3 2011/09/12 21:04:49 sthen Exp $
|
|
|
|
Fix memory corruption in case of memory allocation failure.
|
|
|
|
--- libavformat/utils.c.orig Thu Sep 8 14:11:08 2011
|
|
+++ libavformat/utils.c Thu Sep 8 14:13:30 2011
|
|
@@ -569,13 +569,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputForm
|
|
probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
|
|
int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
|
|
int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
|
|
+ void *buftmp;
|
|
|
|
if (probe_size < offset) {
|
|
continue;
|
|
}
|
|
|
|
/* read probe data */
|
|
- buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
|
|
+ buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
|
|
+ if(!buftmp){
|
|
+ av_free(buf);
|
|
+ return AVERROR(ENOMEM);
|
|
+ }
|
|
+ buf=buftmp;
|
|
if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
|
|
/* fail if error was not end of file, otherwise, lower score */
|
|
if (ret != AVERROR_EOF) {
|