From fcbf24b4e9cd444703948eb6d36da763a7e641f5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sat, 1 Mar 2008 18:20:01 +0000 Subject: [PATCH] Check some malloc() failures - yes it can happen when the alloc size is variable. Unfortunately, the MP4 code seems pretty hopeless. --- modules/demux/mp4/libmp4.c | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c index 6fe3657d82..5d25e0f05d 100644 --- a/modules/demux/mp4/libmp4.c +++ b/modules/demux/mp4/libmp4.c @@ -68,8 +68,11 @@ { \ const int __i_copy__ = strnlen( (char*)p_peek, i_read-1 ); \ p_str = malloc( __i_copy__+1 ); \ - if( __i_copy__ > 0 ) memcpy( p_str, p_peek, __i_copy__ ); \ - p_str[__i_copy__] = 0; \ + if( p_str ) \ + { \ + memcpy( p_str, p_peek, __i_copy__ ); \ + p_str[__i_copy__] = 0; \ + } \ p_peek += __i_copy__ + 1; \ i_read -= __i_copy__ + 1; \ } \ @@ -588,6 +591,7 @@ static int MP4_ReadBox_mdhd( stream_t *p_stream, MP4_Box_t *p_box ) static int MP4_ReadBox_hdlr( stream_t *p_stream, MP4_Box_t *p_box ) { int32_t i_reserved; + int code = 0; MP4_READBOX_ENTER( MP4_Box_data_hdlr_t ); @@ -603,7 +607,9 @@ static int MP4_ReadBox_hdlr( stream_t *p_stream, MP4_Box_t *p_box ) if( i_read > 0 ) { - p_box->data.p_hdlr->psz_name = malloc( i_read + 1 ); + uint8_t *psz = p_box->data.p_hdlr->psz_name = malloc( i_read + 1 ); + if( psz == NULL ) + goto error; /* Yes, I love .mp4 :( */ if( p_box->data.p_hdlr->i_predefined == VLC_FOURCC( 'm', 'h', 'l', 'r' ) ) @@ -614,12 +620,12 @@ static int MP4_ReadBox_hdlr( stream_t *p_stream, MP4_Box_t *p_box ) MP4_GET1BYTE( i_len ); i_copy = __MIN( i_read, i_len ); - memcpy( p_box->data.p_hdlr->psz_name, p_peek, i_copy ); + memcpy( psz, p_peek, i_copy ); p_box->data.p_hdlr->psz_name[i_copy] = '\0'; } else { - memcpy( p_box->data.p_hdlr->psz_name, p_peek, i_read ); + memcpy( psz, p_peek, i_read ); p_box->data.p_hdlr->psz_name[i_read] = '\0'; } } @@ -630,7 +636,10 @@ static int MP4_ReadBox_hdlr( stream_t *p_stream, MP4_Box_t *p_box ) p_box->data.p_hdlr->psz_name ); #endif - MP4_READBOX_EXIT( 1 ); + code = 1; + +error: + MP4_READBOX_EXIT( code ); } static void MP4_FreeBox_hdlr( MP4_Box_t *p_box ) @@ -891,8 +900,11 @@ static int MP4_ReadBox_esds( stream_t *p_stream, MP4_Box_t *p_box ) MP4_GET1BYTE( i_len ); es_descriptor.psz_URL = malloc( i_len + 1 ); - memcpy( es_descriptor.psz_URL, p_peek, i_len ); - es_descriptor.psz_URL[i_len] = 0; + if( es_descriptor.psz_URL ) + { + memcpy( es_descriptor.psz_URL, p_peek, i_len ); + es_descriptor.psz_URL[i_len] = 0; + } p_peek += i_len; i_read -= i_len; } @@ -947,8 +959,9 @@ static int MP4_ReadBox_esds( stream_t *p_stream, MP4_Box_t *p_box ) es_descriptor.p_decConfigDescr->i_decoder_specific_info_len = i_len; es_descriptor.p_decConfigDescr->p_decoder_specific_info = malloc( i_len ); - memcpy( es_descriptor.p_decConfigDescr->p_decoder_specific_info, - p_peek, i_len ); + if( es_descriptor.p_decConfigDescr->p_decoder_specific_info ) + memcpy( es_descriptor.p_decConfigDescr->p_decoder_specific_info, + p_peek, i_len ); MP4_READBOX_EXIT( 1 ); @@ -976,8 +989,9 @@ static int MP4_ReadBox_avcC( stream_t *p_stream, MP4_Box_t *p_box ) p_avcC->i_avcC = i_read; if( p_avcC->i_avcC > 0 ) { - p_avcC->p_avcC = malloc( p_avcC->i_avcC ); - memcpy( p_avcC->p_avcC, p_peek, i_read ); + uint8_t * p = p_avcC->p_avcC = malloc( p_avcC->i_avcC ); + if( p ) + memcpy( p, p_peek, i_read ); } MP4_GET1BYTE( p_avcC->i_version ); -- 2.39.2