Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / b48b7b4109868a8c0ddda090992e936e821c7ea6 / . / import-layers / meta-openembedded / meta-multimedia / recipes-multimedia / gstreamer-0.10 / gst-ffmpeg-0.10.13 / gst-ffmpeg-CVE-2013-0855.patch
blob: 3c8d8e353e1f86fdfd80b2674370865647274c09 [file] [log] [blame]
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
index 2a0df8c..bcbd56d 100644
--- a/gst-libs/ext/libav/libavcodec/alac.c.old
+++ b/gst-libs/ext/libav/libavcodec/alac.c
@@ -87,18 +87,44 @@ typedef struct {
int wasted_bits;
} ALACContext;
-static void allocate_buffers(ALACContext *alac)
+static av_cold int alac_decode_close(AVCodecContext *avctx)
+{
+ ALACContext *alac = avctx->priv_data;
+
+ int chan;
+ for (chan = 0; chan < MAX_CHANNELS; chan++) {
+ av_freep(&alac->predicterror_buffer[chan]);
+ av_freep(&alac->outputsamples_buffer[chan]);
+ av_freep(&alac->wasted_bits_buffer[chan]);
+ }
+
+ return 0;
+}
+
+static int allocate_buffers(ALACContext *alac)
{
int chan;
+ int buf_size;
+
+ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
+ goto buf_alloc_fail;
+ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
+
for (chan = 0; chan < MAX_CHANNELS; chan++) {
- alac->predicterror_buffer[chan] =
- av_malloc(alac->setinfo_max_samples_per_frame * 4);
- alac->outputsamples_buffer[chan] =
- av_malloc(alac->setinfo_max_samples_per_frame * 4);
+ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
+ buf_size, buf_alloc_fail);
- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
+ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
+ buf_size, buf_alloc_fail);
+
+ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
+ buf_size, buf_alloc_fail);
}
+ return 0;
+buf_alloc_fail:
+ alac_decode_close(alac->avctx);
+ return AVERROR(ENOMEM);
}
static int alac_set_info(ALACContext *alac)
@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
bytestream_get_be32(&ptr); /* bitrate ? */
bytestream_get_be32(&ptr); /* samplerate */
- allocate_buffers(alac);
-
return 0;
}
@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
static av_cold int alac_decode_init(AVCodecContext * avctx)
{
+ int ret;
ALACContext *alac = avctx->priv_data;
alac->avctx = avctx;
alac->numchannels = alac->avctx->channels;
@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
return -1;
}
- return 0;
-}
-
-static av_cold int alac_decode_close(AVCodecContext *avctx)
-{
- ALACContext *alac = avctx->priv_data;
-
- int chan;
- for (chan = 0; chan < MAX_CHANNELS; chan++) {
- av_freep(&alac->predicterror_buffer[chan]);
- av_freep(&alac->outputsamples_buffer[chan]);
- av_freep(&alac->wasted_bits_buffer[chan]);
+ if ((ret = allocate_buffers(alac)) < 0) {
+ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
+ return ret;
}
return 0;