[FFmpeg-cvslog] r21390 - trunk/ffmpeg.c

michael subversion
Sat Jan 23 02:25:19 CET 2010


Author: michael
Date: Sat Jan 23 02:25:19 2010
New Revision: 21390

Log:
Fix heap overflow with -async.
Fixes issue1666

Modified:
   trunk/ffmpeg.c

Modified: trunk/ffmpeg.c
==============================================================================
--- trunk/ffmpeg.c	Sat Jan 23 00:40:18 2010	(r21389)
+++ trunk/ffmpeg.c	Sat Jan 23 02:25:19 2010	(r21390)
@@ -563,6 +563,7 @@ static void do_audio_out(AVFormatContext
 {
     uint8_t *buftmp;
     int64_t audio_out_size, audio_buf_size;
+    int64_t allocated_for_size= size;
 
     int size_out, frame_bytes, ret;
     AVCodecContext *enc= ost->st->codec;
@@ -571,7 +572,8 @@ static void do_audio_out(AVFormatContext
     int isize= av_get_bits_per_sample_format(dec->sample_fmt)/8;
     const int coded_bps = av_get_bits_per_sample(enc->codec->id);
 
-    audio_buf_size= (size + isize*dec->channels - 1) / (isize*dec->channels);
+need_realloc:
+    audio_buf_size= (allocated_for_size + isize*dec->channels - 1) / (isize*dec->channels);
     audio_buf_size= (audio_buf_size*enc->sample_rate + dec->sample_rate) / dec->sample_rate;
     audio_buf_size= audio_buf_size*2 + 10000; //safety factors for the deprecated resampling API
     audio_buf_size*= osize*enc->channels;
@@ -649,10 +651,11 @@ static void do_audio_out(AVFormatContext
                     static uint8_t *input_tmp= NULL;
                     input_tmp= av_realloc(input_tmp, byte_delta + size);
 
-                    if(byte_delta + size <= MAX_AUDIO_PACKET_SIZE)
-                        ist->is_start=0;
-                    else
-                        byte_delta= MAX_AUDIO_PACKET_SIZE - size;
+                    if(byte_delta > allocated_for_size - size){
+                        allocated_for_size= byte_delta + (int64_t)size;
+                        goto need_realloc;
+                    }
+                    ist->is_start=0;
 
                     memset(input_tmp, 0, byte_delta);
                     memcpy(input_tmp + byte_delta, buf, size);



More information about the ffmpeg-cvslog mailing list