[FFmpeg-cvslog] lavf/mov: Use av_fast_realloc() in mov_read_stts().
Carl Eugen Hoyos
git at videolan.org
Mon Jan 1 23:27:45 EET 2018
ffmpeg | branch: master | Carl Eugen Hoyos <ceffmpeg at gmail.com> | Sun Dec 31 22:30:57 2017 +0100| [1112ba012df38d486694154b03f5007341f43b24] | committer: Carl Eugen Hoyos
lavf/mov: Use av_fast_realloc() in mov_read_stts().
Avoids large allocations for short files with invalid stts entry.
Fixes bugzilla 1102.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1112ba012df38d486694154b03f5007341f43b24
---
libavformat/mov.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 20644734dc..22faecfc17 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2830,7 +2830,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
AVStream *st;
MOVStreamContext *sc;
- unsigned int i, entries;
+ unsigned int i, entries, alloc_size = 0;
int64_t duration=0;
int64_t total_sample_count=0;
@@ -2848,15 +2848,24 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (sc->stts_data)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STTS atom\n");
- av_free(sc->stts_data);
+ av_freep(&sc->stts_data);
sc->stts_count = 0;
- sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data));
- if (!sc->stts_data)
+ if (entries >= INT_MAX / sizeof(*sc->stts_data))
return AVERROR(ENOMEM);
for (i = 0; i < entries && !pb->eof_reached; i++) {
int sample_duration;
unsigned int sample_count;
+ unsigned min_entries = FFMIN(FFMAX(i, 1024 * 1024), entries);
+ MOVStts *stts_data = av_fast_realloc(sc->stts_data, &alloc_size,
+ min_entries * sizeof(*sc->stts_data));
+ if (!stts_data) {
+ av_freep(&sc->stts_data);
+ sc->stts_count = 0;
+ return AVERROR(ENOMEM);
+ }
+ sc->stts_count = min_entries;
+ sc->stts_data = stts_data;
sample_count=avio_rb32(pb);
sample_duration = avio_rb32(pb);
More information about the ffmpeg-cvslog
mailing list