If sc->ctts_allocated_size is larger than the new buffer size,
av_fast_realloc() will return NULL. Since sc->ctts_data is freed,
ctts_allocated_size should be reset to zero. It's better to avoid
free sc->ctts_data at the first place to make better use of
av_fast_realloc().
---
libavformat/mov.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index dcd263b02a..fcb5a583bd 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3014,6 +3014,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
{
AVStream *st;
MOVStreamContext *sc;
+ MOVStts *ctts_data;
unsigned int i, entries, ctts_count = 0;
if (c->fc->nb_streams < 1)
@@ -3031,10 +3032,13 @@ static int mov_read_ctts(MOVContext *c, AVIOContext
*pb, MOVAtom atom)
return 0;
if (entries >= UINT_MAX / sizeof(*sc->ctts_data))
return AVERROR_INVALIDDATA;
- av_freep(&sc->ctts_data);
- sc->ctts_data = av_fast_realloc(NULL, &sc->ctts_allocated_size, entries *
sizeof(*sc->ctts_data));
- if (!sc->ctts_data)
+ ctts_data = av_fast_realloc(sc->ctts_data, &sc->ctts_allocated_size,
entries * sizeof(*sc->ctts_data));
+ if (!ctts_data) {
+ av_freep(&sc->ctts_data);
+ sc->ctts_allocated_size = 0;
return AVERROR(ENOMEM);
+ }
+ sc->ctts_data = ctts_data;
for (i = 0; i < entries && !pb->eof_reached; i++) {
int count = avio_rb32(pb);
--
2.25.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
