[FFmpeg-devel] [PATCH] libavformat/ffmetadec: use dynamic allocation for line buffer

Michael Niedermayer michael at niedermayer.cc
Thu Nov 8 21:50:28 EET 2018


On Wed, Nov 07, 2018 at 02:34:43PM +0100, Fran├žois Revol wrote:
> When adding thumbnails to OGG files, the line can easily go up to 100kB.
> 
> We thus try to allocate the file size or SIZE_MAX to avoid truncation.
> ---
>  libavformat/ffmetadec.c | 21 +++++++++++++++++----
>  1 file changed, 17 insertions(+), 4 deletions(-)
> 
> diff --git a/libavformat/ffmetadec.c b/libavformat/ffmetadec.c
> index 3290b3b7bc..ccbff51c03 100644
> --- a/libavformat/ffmetadec.c
> +++ b/libavformat/ffmetadec.c
> @@ -128,16 +128,26 @@ static int read_tag(const uint8_t *line, AVDictionary **m)
>  static int read_header(AVFormatContext *s)
>  {
>      AVDictionary **m = &s->metadata;
> -    uint8_t line[1024];
> +    int64_t line_size = avio_size(s->pb);
> +    uint8_t *line;
> +
> +    if (line_size < 1 || line_size > SIZE_MAX)
> +       line_size = SIZE_MAX;
> +
> +    line = av_malloc(line_size);
> +    if (!line)
> +        return AVERROR(ENOMEM);

this would use alot of memory for large files, also avio_size() will not
work with all inputs
using av_fast_realloc() or similar should avoid both issues


>  
>      while(!avio_feof(s->pb)) {
> -        get_line(s->pb, line, sizeof(line));
> +        get_line(s->pb, line, line_size);
>  

>          if (!memcmp(line, ID_STREAM, strlen(ID_STREAM))) {

out of memory access can happen here


thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20181108/bd13d68e/attachment.sig>


More information about the ffmpeg-devel mailing list