[FFmpeg-devel] [PATCH 1/3] Sanitize av_realloc() use in h264 mp4toannexb bistream filter.

Benoit Fouet benoit.fouet
Wed Jun 9 11:49:13 CEST 2010 

---
 libavcodec/h264_mp4toannexb_bsf.c |   29 +++++++++++++++++++++--------
 1 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c
index f249b7f..63653e4 100644
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -28,14 +28,18 @@ typedef struct H264BSFContext {
     int      extradata_parsed;
 } H264BSFContext;
 
-static void alloc_and_copy(uint8_t **poutbuf,          int *poutbuf_size,
+static int alloc_and_copy(uint8_t **poutbuf,          int *poutbuf_size,
                            const uint8_t *sps_pps, uint32_t sps_pps_size,
                            const uint8_t *in,      uint32_t in_size) {
     uint32_t offset = *poutbuf_size;
     uint8_t nal_header_size = offset ? 3 : 4;
+    void *tmp;
 
     *poutbuf_size += sps_pps_size+in_size+nal_header_size;
-    *poutbuf = av_realloc(*poutbuf, *poutbuf_size);
+    tmp = av_realloc(*poutbuf, *poutbuf_size);
+    if (!tmp)
+        return AVERROR(ENOMEM);
+    *poutbuf = tmp;
     if (sps_pps)
         memcpy(*poutbuf+offset, sps_pps, sps_pps_size);
     memcpy(*poutbuf+sps_pps_size+nal_header_size+offset, in, in_size);
@@ -45,6 +49,8 @@ static void alloc_and_copy(uint8_t **poutbuf,          int *poutbuf_size,
         (*poutbuf+offset+sps_pps_size)[0] = (*poutbuf+offset+sps_pps_size)[1] = 0;
         (*poutbuf+offset+sps_pps_size)[2] = 1;
     }
+
+    return 0;
 }
 
 static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
@@ -85,15 +91,20 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
             sps_done++;
         }
         while (unit_nb--) {
+            void *tmp;
+
             unit_size = AV_RB16(extradata);
             total_size += unit_size+4;
             if (total_size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE || extradata+2+unit_size > avctx->extradata+avctx->extradata_size) {
                 av_free(out);
                 return AVERROR(EINVAL);
             }
-            out = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE);
-            if (!out)
+            tmp = av_realloc(out, total_size + FF_INPUT_BUFFER_PADDING_SIZE);
+            if (!tmp) {
+                av_free(out);
                 return AVERROR(ENOMEM);
+            }
+            out = tmp;
             memcpy(out+total_size-unit_size-4, nalu_header, 4);
             memcpy(out+total_size-unit_size,   extradata+2, unit_size);
             extradata += 2+unit_size;
@@ -131,15 +142,17 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
 
         /* prepend only to the first type 5 NAL unit of an IDR picture */
         if (ctx->first_idr && unit_type == 5) {
-            alloc_and_copy(poutbuf, poutbuf_size,
+            if (alloc_and_copy(poutbuf, poutbuf_size,
                            avctx->extradata, avctx->extradata_size,
-                           buf, nal_size);
+                               buf, nal_size) < 0)
+                goto fail;
             ctx->first_idr = 0;
         }
         else {
-            alloc_and_copy(poutbuf, poutbuf_size,
+            if (alloc_and_copy(poutbuf, poutbuf_size,
                            NULL, 0,
-                           buf, nal_size);
+                               buf, nal_size) < 0)
+                goto fail;
             if (!ctx->first_idr && unit_type == 1)
                 ctx->first_idr = 1;
         }
-- 
1.7.1.11.g3bf78

More information about the ffmpeg-devel mailing list