virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

Fix memory corruption in case of memory allocation failure in av_probe_input_buffer()

Browse Source 
Reported-by: Tanami Ohad
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2011-08-27 21:24:13 +02:00
parent 24ddfb2bdb
commit 941bb552c6
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libavformat/utils.c
View File

@@ -527,13 +527,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
void *buftmp;
if (probe_size < offset) { if (probe_size < offset) {
continue; continue;
} }
/* read probe data */ /* read probe data */
buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
if(!buftmp){
av_free(buf);
return AVERROR(ENOMEM);
}
buf=buftmp;
if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
/* fail if error was not end of file, otherwise, lower score */ /* fail if error was not end of file, otherwise, lower score */
if (ret != AVERROR_EOF) { if (ret != AVERROR_EOF) {