Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 |
| 2 | |
| 3 | Upstream-Status: Backport |
| 4 | |
| 5 | Signed-off-by: Yue Tao <yue.tao@windriver.com> |
| 6 | |
| 7 | diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c |
| 8 | index 2a0df8c..bcbd56d 100644 |
| 9 | --- a/gst-libs/ext/libav/libavcodec/alac.c.old |
| 10 | +++ b/gst-libs/ext/libav/libavcodec/alac.c |
| 11 | @@ -87,18 +87,44 @@ typedef struct { |
| 12 | int wasted_bits; |
| 13 | } ALACContext; |
| 14 | |
| 15 | -static void allocate_buffers(ALACContext *alac) |
| 16 | +static av_cold int alac_decode_close(AVCodecContext *avctx) |
| 17 | +{ |
| 18 | + ALACContext *alac = avctx->priv_data; |
| 19 | + |
| 20 | + int chan; |
| 21 | + for (chan = 0; chan < MAX_CHANNELS; chan++) { |
| 22 | + av_freep(&alac->predicterror_buffer[chan]); |
| 23 | + av_freep(&alac->outputsamples_buffer[chan]); |
| 24 | + av_freep(&alac->wasted_bits_buffer[chan]); |
| 25 | + } |
| 26 | + |
| 27 | + return 0; |
| 28 | +} |
| 29 | + |
| 30 | +static int allocate_buffers(ALACContext *alac) |
| 31 | { |
| 32 | int chan; |
| 33 | + int buf_size; |
| 34 | + |
| 35 | + if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) |
| 36 | + goto buf_alloc_fail; |
| 37 | + buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t); |
| 38 | + |
| 39 | for (chan = 0; chan < MAX_CHANNELS; chan++) { |
| 40 | - alac->predicterror_buffer[chan] = |
| 41 | - av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| 42 | |
| 43 | - alac->outputsamples_buffer[chan] = |
| 44 | - av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| 45 | + FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan], |
| 46 | + buf_size, buf_alloc_fail); |
| 47 | |
| 48 | - alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4); |
| 49 | + FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan], |
| 50 | + buf_size, buf_alloc_fail); |
| 51 | + |
| 52 | + FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan], |
| 53 | + buf_size, buf_alloc_fail); |
| 54 | } |
| 55 | + return 0; |
| 56 | +buf_alloc_fail: |
| 57 | + alac_decode_close(alac->avctx); |
| 58 | + return AVERROR(ENOMEM); |
| 59 | } |
| 60 | |
| 61 | static int alac_set_info(ALACContext *alac) |
| 62 | @@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac) |
| 63 | bytestream_get_be32(&ptr); /* bitrate ? */ |
| 64 | bytestream_get_be32(&ptr); /* samplerate */ |
| 65 | |
| 66 | - allocate_buffers(alac); |
| 67 | - |
| 68 | return 0; |
| 69 | } |
| 70 | |
| 71 | @@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx, |
| 72 | |
| 73 | static av_cold int alac_decode_init(AVCodecContext * avctx) |
| 74 | { |
| 75 | + int ret; |
| 76 | ALACContext *alac = avctx->priv_data; |
| 77 | alac->avctx = avctx; |
| 78 | alac->numchannels = alac->avctx->channels; |
| 79 | @@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) |
| 80 | return -1; |
| 81 | } |
| 82 | |
| 83 | - return 0; |
| 84 | -} |
| 85 | - |
| 86 | -static av_cold int alac_decode_close(AVCodecContext *avctx) |
| 87 | -{ |
| 88 | - ALACContext *alac = avctx->priv_data; |
| 89 | - |
| 90 | - int chan; |
| 91 | - for (chan = 0; chan < MAX_CHANNELS; chan++) { |
| 92 | - av_freep(&alac->predicterror_buffer[chan]); |
| 93 | - av_freep(&alac->outputsamples_buffer[chan]); |
| 94 | - av_freep(&alac->wasted_bits_buffer[chan]); |
| 95 | + if ((ret = allocate_buffers(alac)) < 0) { |
| 96 | + av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n"); |
| 97 | + return ret; |
| 98 | } |
| 99 | |
| 100 | return 0; |