Navigation

← Previous Changeset
Next Changeset →

Changeset 0e90ac58d8d1476cfdd81eb57e2a2a0eca0e5d91

Timestamp:

03/02/08 09:48:27 (2 months ago)

Author:

Rémi Denis-Courmont <rem@videolan.org>

git-committer:

Rémi Denis-Courmont <rem@videolan.org> 1204447707 +0200

git-parent:

[4e5b503760d978de585c82d574c0f83c2fe856f1]

git-author:

Rémi Denis-Courmont <rem@videolan.org> 1204402943 +0200

Message:

Fix memory leak in case of corrupt MP4 box

Signed-off-by: Rémi Denis-Courmont <rem@videolan.org>

Files:

modules/demux/mp4/libmp4.c (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

modules/demux/mp4/libmp4.c

redca13e	r0e90ac5
1664	1664	}
1665	1665
	1666	static int MP4_ReadBox_padb( stream_t p_stream, MP4_Box_t p_box )
	1667	{
	1668	int code = 0;
	1669	unsigned int i;
	1670	uint32_t count;
	1671
	1672	MP4_READBOX_ENTER( MP4_Box_data_padb_t );
	1673
	1674	MP4_GETVERSIONFLAGS( p_box->data.p_padb );
	1675
	1676
	1677	MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );
	1678	count = (p_box->data.p_padb->i_sample_count + 1) / 2;
	1679
	1680	p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );
	1681	p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );
	1682	p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );
	1683	p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );
	1684
	1685	for( i = 0; i < i_read / 2 ; i++ )
	1686	{
	1687	if( i >= count )
	1688	goto error;
	1689	p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;
	1690	p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;
	1691	p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;
	1692	p_box->data.p_padb->i_pad1[i] = ( (*p_peek) )&0x07;
	1693
	1694	p_peek += 1; i_read -= 1;
	1695	}
	1696
	1697	#ifdef MP4_VERBOSE
	1698	msg_Dbg( p_stream, "read box: \"stdp\" entry-count "I64Fd,
	1699	i_read / 2 );
	1700
	1701	#endif
	1702	code = 1;
	1703	error:
	1704	MP4_READBOX_EXIT( code );
	1705	}
	1706
1666	1707	static void MP4_FreeBox_padb( MP4_Box_t *p_box )
1667	1708	{
…	…
1670	1711	FREENULL( p_box->data.p_padb->i_reserved2 );
1671	1712	FREENULL( p_box->data.p_padb->i_pad1 );
1672		}
1673
1674		~~static int MP4_ReadBox_padb( stream_t p_stream, MP4_Box_t p_box )~~
1675		{
1676		~~int code = 0;~~
1677		~~unsigned int i;~~
1678		~~uint32_t count;~~
1679
1680		~~MP4_READBOX_ENTER( MP4_Box_data_padb_t );~~
1681
1682		~~MP4_GETVERSIONFLAGS( p_box->data.p_padb );~~
1683
1684
1685		~~MP4_GET4BYTES( p_box->data.p_padb->i_sample_count );~~
1686		~~count = (p_box->data.p_padb->i_sample_count + 1) / 2;~~
1687
1688		~~p_box->data.p_padb->i_reserved1 = calloc( count, sizeof(uint16_t) );~~
1689		~~p_box->data.p_padb->i_pad2 = calloc( count, sizeof(uint16_t) );~~
1690		~~p_box->data.p_padb->i_reserved2 = calloc( count, sizeof(uint16_t) );~~
1691		~~p_box->data.p_padb->i_pad1 = calloc( count, sizeof(uint16_t) );~~
1692
1693		~~for( i = 0; i < i_read / 2 ; i++ )~~
1694		{
1695		~~if( i >= count )~~
1696		{
1697		~~MP4_FreeBox_padb( p_box );~~
1698		~~goto error;~~
1699		}
1700		~~p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 7 )&0x01;~~
1701		~~p_box->data.p_padb->i_pad2[i] = ( (*p_peek) >> 4 )&0x07;~~
1702		~~p_box->data.p_padb->i_reserved1[i] = ( (*p_peek) >> 3 )&0x01;~~
1703		~~p_box->data.p_padb->i_pad1[i] = ( (*p_peek) )&0x07;~~
1704
1705		~~p_peek += 1; i_read -= 1;~~
1706		}
1707
1708		~~#ifdef MP4_VERBOSE~~
1709		~~msg_Dbg( p_stream, "read box: \"stdp\" entry-count "I64Fd,~~
1710		~~i_read / 2 );~~
1711
1712		~~#endif~~
1713		~~code = 1;~~
1714		~~error:~~
1715		~~MP4_READBOX_EXIT( code );~~
1716	1713	}
1717	1714
…	…
2585	2582	if( !(MP4_Box_Function[i_index].MP4_ReadBox_function)( p_stream, p_box ) )
2586	2583	{
2587		~~free(~~ p_box );
	2584	MP4_BoxFree( p_stream, p_box );
2588	2585	return NULL;
2589	2586	}

Navigation

Changeset 0e90ac58d8d1476cfdd81eb57e2a2a0eca0e5d91

Legend:

modules/demux/mp4/libmp4.c

Download in other formats: