mov_try_read_block is regularly called with sizes such as 48 bytes,
but would allocate 1 MiB each time, hogging more and more memory
until playback ends.
Fixes #7641 and #9243.
Signed-off-by: Hendi <hend...@freenet.de>
---
libavformat/mov.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index a8d004e02b..2e4df42256 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6662,6 +6662,9 @@ static int mov_try_read_block(AVIOContext *pb,
size_t size, uint8_t **data)
while (offset < size) {
unsigned int new_size =
alloc_size >= INT_MAX - block_size ? INT_MAX : alloc_size
+ block_size;
+ if (size < new_size) {
+ new_size = size;
+ }
uint8_t *new_buffer = av_fast_realloc(buffer, &alloc_size,
new_size);
unsigned int to_read = FFMIN(size, alloc_size) - offset;
if (!new_buffer) {
--
2.40.0.windows.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
