Ticket #264: MPLAYER-PATCH-OVERFLOW

File MPLAYER-PATCH-OVERFLOW, 11.3 KB (added by mikulas@…, 14 years ago)

first proposed patch for overflow problems

Line 
1diff -u -r x/MPlayer-1.0pre6a/libavformat/flic.c MPlayer-1.0pre6a/libavformat/flic.c
2--- x/MPlayer-1.0pre6a/libavformat/flic.c       Thu Dec 23 22:24:08 2004
3+++ MPlayer-1.0pre6a/libavformat/flic.c Sat Mar 26 19:40:38 2005
4@@ -97,7 +97,7 @@
5 
6     /* send over the whole 128-byte FLIC header */
7     st->codec.extradata_size = FLIC_HEADER_SIZE;
8-    st->codec.extradata = av_malloc(FLIC_HEADER_SIZE);
9+    st->codec.extradata = av_malloc(FLIC_HEADER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
10     memcpy(st->codec.extradata, header, FLIC_HEADER_SIZE);
11 
12     av_set_pts_info(st, 33, 1, 90000);
13@@ -115,7 +115,7 @@
14         /* send over abbreviated FLIC header chunk */
15         av_free(st->codec.extradata);
16         st->codec.extradata_size = 12;
17-        st->codec.extradata = av_malloc(12);
18+        st->codec.extradata = av_malloc(12 + FF_INPUT_BUFFER_PADDING_SIZE);
19         memcpy(st->codec.extradata, header, 12);
20 
21     } else if (magic_number == FLIC_FILE_MAGIC_1) {
22diff -u -r x/MPlayer-1.0pre6a/libavformat/idcin.c MPlayer-1.0pre6a/libavformat/idcin.c
23--- x/MPlayer-1.0pre6a/libavformat/idcin.c      Thu Dec 23 22:24:08 2004
24+++ MPlayer-1.0pre6a/libavformat/idcin.c        Sat Mar 26 19:40:22 2005
25@@ -164,7 +164,7 @@
26 
27     /* load up the Huffman tables into extradata */
28     st->codec.extradata_size = HUFFMAN_TABLE_SIZE;
29-    st->codec.extradata = av_malloc(HUFFMAN_TABLE_SIZE);
30+    st->codec.extradata = av_malloc(HUFFMAN_TABLE_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
31     if (get_buffer(pb, st->codec.extradata, HUFFMAN_TABLE_SIZE) !=
32         HUFFMAN_TABLE_SIZE)
33         return AVERROR_IO;
34diff -u -r x/MPlayer-1.0pre6a/libavformat/rm.c MPlayer-1.0pre6a/libavformat/rm.c
35--- x/MPlayer-1.0pre6a/libavformat/rm.c Thu Dec 23 22:24:08 2004
36+++ MPlayer-1.0pre6a/libavformat/rm.c   Sat Mar 26 19:40:07 2005
37@@ -664,7 +664,7 @@
38                 get_be16(pb);
39                 
40                 st->codec.extradata_size= codec_data_size - (url_ftell(pb) - codec_pos);
41-                st->codec.extradata= av_malloc(st->codec.extradata_size);
42+                st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
43                 get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
44                 
45 //                av_log(NULL, AV_LOG_DEBUG, "fps= %d fps2= %d\n", fps, fps2);
46diff -u -r x/MPlayer-1.0pre6a/libavformat/sierravmd.c MPlayer-1.0pre6a/libavformat/sierravmd.c
47--- x/MPlayer-1.0pre6a/libavformat/sierravmd.c  Thu Dec 23 22:24:08 2004
48+++ MPlayer-1.0pre6a/libavformat/sierravmd.c    Sat Mar 26 19:39:55 2005
49@@ -137,7 +137,7 @@
50     st->codec.width = LE_16(&vmd->vmd_header[12]);
51     st->codec.height = LE_16(&vmd->vmd_header[14]);
52     st->codec.extradata_size = VMD_HEADER_SIZE;
53-    st->codec.extradata = av_malloc(VMD_HEADER_SIZE);
54+    st->codec.extradata = av_malloc(VMD_HEADER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
55     memcpy(st->codec.extradata, vmd->vmd_header, VMD_HEADER_SIZE);
56 
57     /* if sample rate is 0, assume no audio */
58diff -u -r x/MPlayer-1.0pre6a/libavformat/westwood.c MPlayer-1.0pre6a/libavformat/westwood.c
59--- x/MPlayer-1.0pre6a/libavformat/westwood.c   Thu Dec 23 22:24:08 2004
60+++ MPlayer-1.0pre6a/libavformat/westwood.c     Sat Mar 26 19:39:36 2005
61@@ -234,7 +234,7 @@
62 
63     /* the VQA header needs to go to the decoder */
64     st->codec.extradata_size = VQA_HEADER_SIZE;
65-    st->codec.extradata = av_malloc(VQA_HEADER_SIZE);
66+    st->codec.extradata = av_malloc(VQA_HEADER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
67     header = (unsigned char *)st->codec.extradata;
68     if (get_buffer(pb, st->codec.extradata, VQA_HEADER_SIZE) !=
69         VQA_HEADER_SIZE) {
70diff -u -r x/MPlayer-1.0pre6a/libmpcodecs/ad_ffmpeg.c MPlayer-1.0pre6a/libmpcodecs/ad_ffmpeg.c
71--- x/MPlayer-1.0pre6a/libmpcodecs/ad_ffmpeg.c  Tue Sep 21 22:34:46 2004
72+++ MPlayer-1.0pre6a/libmpcodecs/ad_ffmpeg.c    Sat Mar 26 19:37:21 2005
73@@ -72,7 +72,7 @@
74 
75     /* alloc extra data */
76     if (sh_audio->wf && sh_audio->wf->cbSize > 0) {
77-        lavc_context->extradata = malloc(sh_audio->wf->cbSize);
78+        lavc_context->extradata = malloc(sh_audio->wf->cbSize + FF_INPUT_BUFFER_PADDING_SIZE);
79         lavc_context->extradata_size = sh_audio->wf->cbSize;
80         memcpy(lavc_context->extradata, (char *)sh_audio->wf + sizeof(WAVEFORMATEX),
81                lavc_context->extradata_size);
82diff -u -r x/MPlayer-1.0pre6a/libmpcodecs/vd_ffmpeg.c MPlayer-1.0pre6a/libmpcodecs/vd_ffmpeg.c
83--- x/MPlayer-1.0pre6a/libmpcodecs/vd_ffmpeg.c  Fri Dec 17 08:34:23 2004
84+++ MPlayer-1.0pre6a/libmpcodecs/vd_ffmpeg.c    Sat Mar 26 19:39:04 2005
85@@ -281,7 +281,7 @@
86     {
87        avctx->flags |= CODEC_FLAG_EXTERN_HUFF;
88        avctx->extradata_size = sh->bih->biSize-sizeof(BITMAPINFOHEADER);
89-       avctx->extradata = malloc(avctx->extradata_size);
90+       avctx->extradata = malloc(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
91        memcpy(avctx->extradata, sh->bih+sizeof(BITMAPINFOHEADER),
92            avctx->extradata_size);
93 
94@@ -303,7 +303,7 @@
95        || sh->format == mmioFOURCC('R', 'V', '4', '0')
96        ){
97         avctx->extradata_size= 8;
98-        avctx->extradata = malloc(avctx->extradata_size);
99+        avctx->extradata = malloc(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
100         if(sh->bih->biSize!=sizeof(*sh->bih)+8){
101             /* only 1 packet per frame & sub_id from fourcc */
102            ((uint32_t*)avctx->extradata)[0] = 0;
103@@ -338,7 +338,7 @@
104          ))
105     {
106        avctx->extradata_size = sh->bih->biSize-sizeof(BITMAPINFOHEADER);
107-       avctx->extradata = malloc(avctx->extradata_size);
108+       avctx->extradata = malloc(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
109        memcpy(avctx->extradata, sh->bih+1, avctx->extradata_size);
110     }
111     /* Pass palette to codec */
112@@ -359,7 +359,7 @@
113     if (sh->ImageDesc &&
114         sh->format == mmioFOURCC('S','V','Q','3')){
115        avctx->extradata_size = (*(int*)sh->ImageDesc) - sizeof(int);
116-       avctx->extradata = malloc(avctx->extradata_size);
117+       avctx->extradata = malloc(avctx->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
118        memcpy(avctx->extradata, ((int*)sh->ImageDesc)+1, avctx->extradata_size);
119     }
120     
121diff -u -r x/MPlayer-1.0pre6a/libmpdemux/demux_asf.c MPlayer-1.0pre6a/libmpdemux/demux_asf.c
122--- x/MPlayer-1.0pre6a/libmpdemux/demux_asf.c   Sat Sep 11 11:40:34 2004
123+++ MPlayer-1.0pre6a/libmpdemux/demux_asf.c     Sat Mar 26 19:58:33 2005
124@@ -12,6 +12,8 @@
125 #include "asf.h"
126 #include "demuxer.h"
127 
128+#include "avcodec.h"
129+
130 
131 /*
132  * Load 16/32-bit values in little endian byte order
133@@ -103,7 +105,7 @@
134         // append data to it!
135         demux_packet_t* dp=ds->asf_packet;
136         if(dp->len!=offs && offs!=-1) mp_msg(MSGT_DEMUX,MSGL_V,"warning! fragment.len=%d BUT next fragment offset=%d  \n",dp->len,offs);
137-        dp->buffer=realloc(dp->buffer,dp->len+len);
138+        dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
139         memcpy(dp->buffer+dp->len,data,len);
140         mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
141         dp->len+=len;
142diff -u -r x/MPlayer-1.0pre6a/libmpdemux/demux_mov.c MPlayer-1.0pre6a/libmpdemux/demux_mov.c
143--- x/MPlayer-1.0pre6a/libmpdemux/demux_mov.c   Tue Dec 21 13:27:38 2004
144+++ MPlayer-1.0pre6a/libmpdemux/demux_mov.c     Sat Mar 26 20:20:23 2005
145@@ -836,6 +836,7 @@
146            priv->tracks[priv->track_db]=trak;
147            lschunks(demuxer,level+1,pos+len,trak);
148            mov_build_index(trak,priv->timescale);
149+           if (!trak->stdata) return;
150            switch(trak->type){
151            case MOV_TRAK_AUDIO: {
152 #if 0                             
153@@ -937,8 +938,11 @@
154                }
155 
156                if((trak->stdata[9]==0 || trak->stdata[9]==1) && trak->stdata_len >= 36) { // version 0 with extra atoms
157+       int atom_len;
158         int adjust = (trak->stdata[9]==1)?48:0;
159-                   int atom_len = char2int(trak->stdata,28+adjust);
160+                   if (trak->stdata_len < adjust + 32) goto skip_atom;
161+                   atom_len = char2int(trak->stdata,28+adjust);
162+                   if (atom_len > 0x1000000 || trak->stdata_len < adjust + 28 + atom_len) goto skip_atom;
163                    switch(char2int(trak->stdata,32+adjust)) { // atom type
164                      case MOV_FOURCC('e','s','d','s'): {
165                        mp_msg(MSGT_DEMUX, MSGL_INFO, "MOV: Found MPEG4 audio Elementary Stream Descriptor atom (%d)!\n", atom_len);
166@@ -973,6 +977,7 @@
167                            atom_len);
168                    }
169                } 
170+               skip_atom:
171                mp_msg(MSGT_DEMUX, MSGL_INFO, "Fourcc: %.4s\n",&trak->fourcc);
172 #if 0
173                { FILE* f=fopen("stdata.dat","wb");
174diff -u -r x/MPlayer-1.0pre6a/libmpdemux/demux_real.c MPlayer-1.0pre6a/libmpdemux/demux_real.c
175--- x/MPlayer-1.0pre6a/libmpdemux/demux_real.c  Mon Nov  1 14:49:07 2004
176+++ MPlayer-1.0pre6a/libmpdemux/demux_real.c    Sat Mar 26 20:16:05 2005
177@@ -32,6 +32,8 @@
178 #include "stheader.h"
179 #include "bswap.h"
180 
181+#include "avcodec.h"
182+
183 //#define mp_dbg(mod,lev, args... ) mp_msg_c((mod<<8)|lev, ## args )
184 
185 #define MKTAG(a, b, c, d) (a | (b << 8) | (c << 16) | (d << 24))
186@@ -761,7 +763,7 @@
187                            // increase buffer size, this should not happen!
188                            mp_msg(MSGT_DEMUX,MSGL_WARN, "chunktab buffer too small!!!!!\n");
189                            dp->len=dp_hdr->chunktab+8*(4+dp_hdr->chunks);
190-                           dp->buffer=realloc(dp->buffer,dp->len);
191+                           dp->buffer=realloc(dp->buffer,dp->len+FF_INPUT_BUFFER_PADDING_SIZE);
192                            // re-calc pointers:
193                            dp_hdr=(dp_hdr_t*)dp->buffer;
194                            dp_data=dp->buffer+sizeof(dp_hdr_t);
195diff -u -r x/MPlayer-1.0pre6a/libmpdemux/demux_viv.c MPlayer-1.0pre6a/libmpdemux/demux_viv.c
196--- x/MPlayer-1.0pre6a/libmpdemux/demux_viv.c   Wed Mar 31 07:40:31 2004
197+++ MPlayer-1.0pre6a/libmpdemux/demux_viv.c     Sat Mar 26 20:15:48 2005
198@@ -15,6 +15,8 @@
199 #include "stheader.h"
200 #include "bswap.h"
201 
202+#include "avcodec.h"
203+
204 /* parameters ! */
205 int vivo_param_version = -1;
206 char *vivo_param_acodec = NULL;
207@@ -379,7 +381,7 @@
208       } else {
209         // append data to it!
210         demux_packet_t* dp=ds->asf_packet;
211-        dp->buffer=realloc(dp->buffer,dp->len+len);
212+        dp->buffer=realloc(dp->buffer,dp->len+len+FF_INPUT_BUFFER_PADDING_SIZE);
213         //memcpy(dp->buffer+dp->len,data,len);
214        stream_read(demux->stream,dp->buffer+dp->len,len);
215         mp_dbg(MSGT_DEMUX,MSGL_DBG4,"data appended! %d+%d\n",dp->len,len);
216diff -u -r x/MPlayer-1.0pre6a/libmpdemux/video.c MPlayer-1.0pre6a/libmpdemux/video.c
217--- x/MPlayer-1.0pre6a/libmpdemux/video.c       Wed Nov 24 19:55:03 2004
218+++ MPlayer-1.0pre6a/libmpdemux/video.c Sat Mar 26 19:54:17 2005
219@@ -21,6 +21,7 @@
220 
221 /* sub_cc (closed captions)*/
222 #include "../sub_cc.h"
223+#include "avcodec.h"
224 
225 /* biCompression constant */
226 #define BI_RGB        0L
227@@ -127,7 +128,7 @@
228       }
229    }
230    mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n");
231-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
232+   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
233    if(!videobuffer){
234      mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
235      return 0;
236@@ -167,7 +168,7 @@
237       }
238    }
239    mp_msg(MSGT_DECVIDEO,MSGL_V,"OK!\n");
240-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
241+   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
242    if(!videobuffer){
243      mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
244      return 0;
245@@ -214,7 +215,7 @@
246 //   sh_video=d_video->sh;sh_video->ds=d_video;
247 //   mpeg2_init();
248    // ========= Read & process sequence header & extension ============
249-   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE);
250+   if(!videobuffer) videobuffer=(char*)memalign(8,VIDEOBUFFER_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
251    if(!videobuffer){
252      mp_msg(MSGT_DECVIDEO,MSGL_ERR,MSGTR_ShMemAllocFail);
253      return 0;