[FFmpeg-devel] [PATCH] mxfdec: simplify code by using av_calloc()

Michael Niedermayer michaelni at gmx.at
Thu Jul 19 18:43:40 CEST 2012


On Wed, Feb 01, 2012 at 09:08:26PM +0100, Tomas Härdin wrote:
> On Wed, 2012-02-01 at 19:40 +0100, Nicolas George wrote:
> > Le tridi 13 pluviôse, an CCXX, Michael Niedermayer a écrit :
> > > Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> > > ---
> > >  libavformat/mxfdec.c |   26 +++++++-------------------
> > >  1 files changed, 7 insertions(+), 19 deletions(-)
> > > 
> > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > > index c927869..ea9bf6d 100644
> > > --- a/libavformat/mxfdec.c
> > > +++ b/libavformat/mxfdec.c
> > > @@ -395,12 +395,10 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
> > >                                item_len);
> > >          return AVERROR_PATCHWELCOME;
> > >      }
> > > -    if (item_num > UINT_MAX / item_len)
> > > -        return AVERROR_INVALIDDATA;
> > 
> > calloc checks for INT_MAX, but could someday check for SIZE_MAX: could it be
> > a problem somewhere else in the code, where something would assume that
> > item_num has been validated against UINT_MAX precisely?
> 
> I don't think it's too much of a problem. The only normal case where any
> array in the demuxer would approach such a huge size is the index
> tables.

> However, we could check item_num > 65536 here - there can be no more
> than so many local tags per partition (16-bit key).

ok, changed



> 
> > Probably not a problem.
> > 
> > > -    mxf->local_tags_count = item_num;
> > > -    mxf->local_tags = av_malloc(item_num*item_len);
> > > +    mxf->local_tags = av_calloc(item_num, item_len);
> > >      if (!mxf->local_tags)
> > >          return AVERROR(ENOMEM);
> > > +    mxf->local_tags_count = item_num;
> > 
> > I do not think you needed to move that last line.
> 
> This has the added benefit of local_tags and local_tags_count being
> consistent though (NULL <==> 0).
> 
> > >      avio_read(pb, mxf->local_tags, item_num*item_len);
> > >      return 0;
> > >  }
> > > @@ -564,9 +562,7 @@ static int mxf_read_content_storage(void *arg, AVIOContext *pb, int tag, int siz
> > >      switch (tag) {
> > >      case 0x1901:
> > >          mxf->packages_count = avio_rb32(pb);
> > > -        if (mxf->packages_count >= UINT_MAX / sizeof(UID))
> > > -            return AVERROR_INVALIDDATA;
> > > -        mxf->packages_refs = av_malloc(mxf->packages_count * sizeof(UID));
> > > +        mxf->packages_refs = av_calloc(mxf->packages_count, sizeof(UID));
> > >          if (!mxf->packages_refs)
> > >              return AVERROR(ENOMEM);
> > >          avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > > @@ -604,9 +600,7 @@ static int mxf_read_material_package(void *arg, AVIOContext *pb, int tag, int si
> > >      switch(tag) {
> > >      case 0x4403:
> > >          package->tracks_count = avio_rb32(pb);
> > > -        if (package->tracks_count >= UINT_MAX / sizeof(UID))
> > > -            return AVERROR_INVALIDDATA;
> > > -        package->tracks_refs = av_malloc(package->tracks_count * sizeof(UID));
> > > +        package->tracks_refs = av_calloc(package->tracks_count, sizeof(UID));
> > >          if (!package->tracks_refs)
> > >              return AVERROR(ENOMEM);
> > >          avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > > @@ -649,9 +643,7 @@ static int mxf_read_sequence(void *arg, AVIOContext *pb, int tag, int size, UID
> > >          break;
> > >      case 0x1001:
> > >          sequence->structural_components_count = avio_rb32(pb);
> > > -        if (sequence->structural_components_count >= UINT_MAX / sizeof(UID))
> > > -            return AVERROR_INVALIDDATA;
> > > -        sequence->structural_components_refs = av_malloc(sequence->structural_components_count * sizeof(UID));
> > > +        sequence->structural_components_refs = av_calloc(sequence->structural_components_count, sizeof(UID));
> > >          if (!sequence->structural_components_refs)
> > >              return AVERROR(ENOMEM);
> > >          avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > > @@ -667,9 +659,7 @@ static int mxf_read_source_package(void *arg, AVIOContext *pb, int tag, int size
> > >      switch(tag) {
> > >      case 0x4403:
> > >          package->tracks_count = avio_rb32(pb);
> > > -        if (package->tracks_count >= UINT_MAX / sizeof(UID))
> > > -            return AVERROR_INVALIDDATA;
> > > -        package->tracks_refs = av_malloc(package->tracks_count * sizeof(UID));
> > > +        package->tracks_refs = av_calloc(package->tracks_count, sizeof(UID));
> > >          if (!package->tracks_refs)
> > >              return AVERROR(ENOMEM);
> > >          avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > > @@ -771,9 +761,7 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int
> > >      switch(tag) {
> > >      case 0x3F01:
> > >          descriptor->sub_descriptors_count = avio_rb32(pb);
> > > -        if (descriptor->sub_descriptors_count >= UINT_MAX / sizeof(UID))
> > > -            return AVERROR_INVALIDDATA;
> > > -        descriptor->sub_descriptors_refs = av_malloc(descriptor->sub_descriptors_count * sizeof(UID));
> > > +        descriptor->sub_descriptors_refs = av_calloc(descriptor->sub_descriptors_count, sizeof(UID));
> > >          if (!descriptor->sub_descriptors_refs)
> > >              return AVERROR(ENOMEM);
> > >          avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > > -- 
> > > 1.7.5.4
> > 
> > This will return ENOMEM instead of INVALIDDATA if the values are bogus: is
> > it a problem?
> 
> That is a matter of interpretation. The file could indeed be valid, just
> require too much memory to make sense of. So either is fine IMO.
> 
> Everything looks OK.

ok, applied

sorry for the delay

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct awnser.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120719/01cd904d/attachment.asc>


More information about the ffmpeg-devel mailing list