| gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 |
| |
| Upstream-Status: Backport |
| |
| Signed-off-by: Yue Tao <yue.tao@windriver.com> |
| |
| diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c |
| index 2a0df8c..bcbd56d 100644 |
| --- a/gst-libs/ext/libav/libavcodec/alac.c.old |
| +++ b/gst-libs/ext/libav/libavcodec/alac.c |
| @@ -87,18 +87,44 @@ typedef struct { |
| int wasted_bits; |
| } ALACContext; |
| |
| -static void allocate_buffers(ALACContext *alac) |
| +static av_cold int alac_decode_close(AVCodecContext *avctx) |
| +{ |
| + ALACContext *alac = avctx->priv_data; |
| + |
| + int chan; |
| + for (chan = 0; chan < MAX_CHANNELS; chan++) { |
| + av_freep(&alac->predicterror_buffer[chan]); |
| + av_freep(&alac->outputsamples_buffer[chan]); |
| + av_freep(&alac->wasted_bits_buffer[chan]); |
| + } |
| + |
| + return 0; |
| +} |
| + |
| +static int allocate_buffers(ALACContext *alac) |
| { |
| int chan; |
| + int buf_size; |
| + |
| + if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) |
| + goto buf_alloc_fail; |
| + buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t); |
| + |
| for (chan = 0; chan < MAX_CHANNELS; chan++) { |
| - alac->predicterror_buffer[chan] = |
| - av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| |
| - alac->outputsamples_buffer[chan] = |
| - av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| + FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan], |
| + buf_size, buf_alloc_fail); |
| |
| - alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| + FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan], |
| + buf_size, buf_alloc_fail); |
| + |
| + FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan], |
| + buf_size, buf_alloc_fail); |
| } |
| + return 0; |
| +buf_alloc_fail: |
| + alac_decode_close(alac->avctx); |
| + return AVERROR(ENOMEM); |
| } |
| |
| static int alac_set_info(ALACContext *alac) |
| @@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac) |
| bytestream_get_be32(&ptr); /* bitrate ? */ |
| bytestream_get_be32(&ptr); /* samplerate */ |
| |
| - allocate_buffers(alac); |
| - |
| return 0; |
| } |
| |
| @@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx, |
| |
| static av_cold int alac_decode_init(AVCodecContext * avctx) |
| { |
| + int ret; |
| ALACContext *alac = avctx->priv_data; |
| alac->avctx = avctx; |
| alac->numchannels = alac->avctx->channels; |
| @@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) |
| return -1; |
| } |
| |
| - return 0; |
| -} |
| - |
| -static av_cold int alac_decode_close(AVCodecContext *avctx) |
| -{ |
| - ALACContext *alac = avctx->priv_data; |
| - |
| - int chan; |
| - for (chan = 0; chan < MAX_CHANNELS; chan++) { |
| - av_freep(&alac->predicterror_buffer[chan]); |
| - av_freep(&alac->outputsamples_buffer[chan]); |
| - av_freep(&alac->wasted_bits_buffer[chan]); |
| + if ((ret = allocate_buffers(alac)) < 0) { |
| + av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n"); |
| + return ret; |
| } |
| |
| return 0; |