[FFmpeg-devel] [PATCH 5/9] lavf/oggdec: rework allocations in ogg_new_streams().

Clément Bœsch ubitux at gmail.com
Sun Sep 16 18:34:30 CEST 2012 

On Sat, Sep 15, 2012 at 06:24:34PM +0200, Clément Bœsch wrote:
[...]
> > > diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
> > > index 05aeddd..fbc35dd 100644
> > > --- a/libavformat/oggdec.c
> > > +++ b/libavformat/oggdec.c
> > > @@ -165,18 +165,24 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
> > >  {
> > >  
> > >      struct ogg *ogg = s->priv_data;
> > > -    int idx = ogg->nstreams++;
> > > +    int idx = ogg->nstreams;
> > >      AVStream *st;
> > >      struct ogg_stream *os;
> > > +    size_t size;
> > >  
> > > -    ogg->streams = av_realloc (ogg->streams,
> > > -                               ogg->nstreams * sizeof (*ogg->streams));
> > > +    if (av_size_mult(ogg->nstreams + 1, sizeof(*ogg->streams), &size) < 0 ||
> > > +        !(os = av_realloc(ogg->streams, size)))
> > > +        return AVERROR(ENOMEM);
> > > +    ogg->streams = os;
> > > +    ogg->nstreams++;
> > 
> > without applying all patches and crosschecking i suspect that
> > in the 1 stream replace case the stream is removed and then a new added
> > but when this fails we end with the old 1 stream array and streams=0
> > here while its 1 in AVFormatContext.
> > That would leave the context inconsistent
> 
> If the replace case fails prior to this patch, no error will be raised but
> AFAICT it will likely crash very quickly because of the NULL pointers and
> the memset. One of the following patch make sure to split the replace code
> from this function so it should be safe.
> 

I've moved the nstreams increment to the end of the function when
everything is OK. I also made sure no memory is leaked in case of failure
in the middle of the function.

Patchset pushed, thanks for the review. Flame me on cvslog if you believe
something is wrong.

Regards,

-- 
Clément B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120916/054b0e0a/attachment.asc>

More information about the ffmpeg-devel mailing list