2017-12-31 22:17 GMT+01:00 Michael Niedermayer <mich...@niedermayer.cc>:
> On Sat, Dec 30, 2017 at 02:36:39PM +0100, Carl Eugen Hoyos wrote:
>> 2017-12-29 23:37 GMT+01:00 Carl Eugen Hoyos <ceffm...@gmail.com>:
>> > 2017-11-28 21:32 GMT+01:00 Michael Niedermayer <mich...@niedermayer.cc>:
>> >> On Mon, Nov 27, 2017 at 05:24:14AM +0100, Carl Eugen Hoyos wrote:
>> >
>> >>> for (i = 0; i < entries && !pb->eof_reached; i++) {
>> >>> - int sample_duration;
>> >>> + int sample_duration, ret;
>> >>> unsigned int sample_count;
>> >>> + if (i > sc->stts_count) {
>> >>> + ret = av_reallocp_array(&sc->stts_data,
>> >>> + FFMIN(sc->stts_count * 2LL,
>> >>> entries),
>> >>> + sizeof(*sc->stts_data));
>> >>
>> >> this should use a variant of av_fast_realloc
>> >
>> > Do you prefer the new patch?
>> > The old variant here looks slightly saner to me.
>>
>> Attached is what you possibly had in mind.
>>
>> Please review, Carl Eugen
>
>> mov.c | 13 +++++++++++--
>> 1 file changed, 11 insertions(+), 2 deletions(-)
>> cc7986179fe0ddc394457e8543d9ae907b49373c
>> 0001-lavf-mov-Use-av_fast_realloc-in-mov_read_stts.patch
>> From f5fcd9ed1e5ce604c358a3787f1977277005ebb5 Mon Sep 17 00:00:00 2001
>> From: Carl Eugen Hoyos <ceffm...@gmail.com>
>> Date: Sat, 30 Dec 2017 14:34:41 +0100
>> Subject: [PATCH] lavf/mov: Use av_fast_realloc() in mov_read_stts().
>>
>> Avoids large allocations for short files with invalid stts entry.
>> Fixes bugzilla 1102.
>> ---
>> libavformat/mov.c | 13 +++++++++++--
>> 1 file changed, 11 insertions(+), 2 deletions(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 2064473..1e97652 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -2850,13 +2850,22 @@ static int mov_read_stts(MOVContext *c, AVIOContext
>> *pb, MOVAtom atom)
>> av_log(c->fc, AV_LOG_WARNING, "Duplicated STTS atom\n");
>> av_free(sc->stts_data);
>> sc->stts_count = 0;
>> - sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data));
>> - if (!sc->stts_data)
>> + if (entries >= INT_MAX / sizeof(*sc->stts_data))
>> return AVERROR(ENOMEM);
>
> this leaves a stale pointer on error in sc->stts_data
New patch attached.
Thank you, Carl Eugen
From 42fc4aabccb5b5da0db2fd312187d90b303e96f7 Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <ceffm...@gmail.com>
Date: Sun, 31 Dec 2017 22:25:29 +0100
Subject: [PATCH] lavf/mov: Use av_fast_realloc() in mov_read_stts().
Avoids large allocations for short files with invalid stts entry.
Fixes bugzilla 1102.
---
libavformat/mov.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2064473..ee86c65 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2848,15 +2848,24 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (sc->stts_data)
av_log(c->fc, AV_LOG_WARNING, "Duplicated STTS atom\n");
- av_free(sc->stts_data);
+ av_freep(&sc->stts_data);
sc->stts_count = 0;
- sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data));
- if (!sc->stts_data)
+ if (entries >= INT_MAX / sizeof(*sc->stts_data))
return AVERROR(ENOMEM);
for (i = 0; i < entries && !pb->eof_reached; i++) {
int sample_duration;
unsigned int sample_count;
+ unsigned alloc_size = 0, min_entries = FFMIN(FFMAX(i, 1024 * 1024), entries);
+ MOVStts *stts_data = av_fast_realloc(sc->stts_data, &alloc_size,
+ min_entries * sizeof(*sc->stts_data));
+ if (!stts_data) {
+ av_freep(&sc->stts_data);
+ sc->stts_count = 0;
+ return AVERROR(ENOMEM);
+ }
+ sc->stts_count = min_entries;
+ sc->stts_data = stts_data;
sample_count=avio_rb32(pb);
sample_duration = avio_rb32(pb);
--
1.7.10.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
