diff options
| -rw-r--r-- | libavformat/aiffdec.c | 19 | ||||
| -rw-r--r-- | libavformat/apetag.c | 17 | ||||
| -rw-r--r-- | libavformat/asfdec.c | 16 | ||||
| -rw-r--r-- | libavformat/avidec.c | 15 | ||||
| -rw-r--r-- | libavformat/flvdec.c | 46 | ||||
| -rw-r--r-- | libavformat/oggparsevorbis.c | 7 | ||||
| -rw-r--r-- | libavformat/soxdec.c | 11 | ||||
| -rw-r--r-- | libavformat/vqf.c | 13 | ||||
| -rw-r--r-- | libavformat/wc3movie.c | 17 |
9 files changed, 91 insertions, 70 deletions
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 60c44ea5e8..a56bb0911d 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -66,19 +66,20 @@ static int get_tag(ByteIOContext *pb, uint32_t * tag) /* Metadata string read */ static void get_meta(AVFormatContext *s, const char *key, int size) { - uint8_t str[1024]; - int res = get_buffer(s->pb, str, FFMIN(sizeof(str)-1, size)); + uint8_t *str = av_malloc(size+1); + int res; + + if (!str) { + url_fskip(s->pb, size); + return; + } + + res = get_buffer(s->pb, str, size); if (res < 0) return; str[res] = 0; - if (size & 1) - size++; - size -= res; - if (size) - url_fskip(s->pb, size); - - av_metadata_set(&s->metadata, key, str); + av_metadata_set2(&s->metadata, key, str, AV_METADATA_DONT_STRDUP_VAL); } /* Returns the number of sound data frames or negative on error */ diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 262270cd42..bc91507c87 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -33,7 +33,7 @@ static int ape_tag_read_field(AVFormatContext *s) { ByteIOContext *pb = s->pb; - uint8_t key[1024], value[1024]; + uint8_t key[1024], *value; uint32_t size, flags; int i, l, c; @@ -51,13 +51,14 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - l = FFMIN(size, sizeof(value)-1); - get_buffer(pb, value, l); - value[l] = 0; - url_fskip(pb, size-l); - if (l < size) - av_log(s, AV_LOG_WARNING, "Too long '%s' tag was truncated.\n", key); - av_metadata_set(&s->metadata, key, value); + if (size >= UINT_MAX) + return -1; + value = av_malloc(size+1); + if (!value) + return AVERROR_NOMEM; + get_buffer(pb, value, size); + value[size] = 0; + av_metadata_set2(&s->metadata, key, value, AV_METADATA_DONT_STRDUP_VAL); return 0; } diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 543faf29d4..78c99f3aa3 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -152,19 +152,27 @@ static int get_value(ByteIOContext *pb, int type){ static void get_tag(AVFormatContext *s, const char *key, int type, int len) { - char value[1024]; + char *value; + + if ((unsigned)len >= UINT_MAX) + return; + + value = av_malloc(len+1); + if (!value) + return; + if (type <= 1) { // unicode or byte - get_str16_nolen(s->pb, len, value, sizeof(value)); + get_str16_nolen(s->pb, len, value, len); } else if (type <= 5) { // boolean or DWORD or QWORD or WORD uint64_t num = get_value(s->pb, type); - snprintf(value, sizeof(value), "%"PRIu64, num); + snprintf(value, len, "%"PRIu64, num); } else { url_fskip(s->pb, len); return; } if (!strncmp(key, "WM/", 3)) key += 3; - av_metadata_set(&s->metadata, key, value); + av_metadata_set2(&s->metadata, key, value, AV_METADATA_DONT_STRDUP_VAL); } static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5be93949f7..6719c9d6e7 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -230,14 +230,19 @@ static void clean_index(AVFormatContext *s){ static int avi_read_tag(AVFormatContext *s, const char *key, unsigned int size) { ByteIOContext *pb = s->pb; - uint8_t value[1024]; + char *value; - int64_t i = url_ftell(pb); size += (size & 1); - get_strz(pb, value, sizeof(value)); - url_fseek(pb, i+size, SEEK_SET); - return av_metadata_set(&s->metadata, key, value); + if (size == UINT_MAX) + return -1; + value = av_malloc(size+1); + if (!value) + return -1; + get_strz(pb, value, size); + + return av_metadata_set2(&s->metadata, key, value, + AV_METADATA_DONT_STRDUP_VAL); } static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 2be5e2d689..c6428b4bbc 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -104,25 +104,25 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_co return 0; } -static int amf_get_string(ByteIOContext *ioc, char *buffer, int buffsize) { - int length = get_be16(ioc); - if(length >= buffsize) { - url_fskip(ioc, length); - return -1; - } +static int amf_get_string(ByteIOContext *ioc, char **buf) +{ + uint16_t len = get_be16(ioc); - get_buffer(ioc, buffer, length); + *buf = av_malloc(len+1); + if (!*buf) + return AVERROR_NOMEM; - buffer[length] = '\0'; + get_buffer(ioc, *buf, len); + (*buf)[len] = '\0'; - return length; + return len; } static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vstream, const char *key, int64_t max_pos, int depth) { AVCodecContext *acodec, *vcodec; ByteIOContext *ioc; AMFDataType amf_type; - char str_val[256]; + char *str = NULL; double num_val; num_val = 0; @@ -136,7 +136,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst case AMF_DATA_TYPE_BOOL: num_val = get_byte(ioc); break; case AMF_DATA_TYPE_STRING: - if(amf_get_string(ioc, str_val, sizeof(str_val)) < 0) + if(amf_get_string(ioc, &str) < 0) return -1; break; case AMF_DATA_TYPE_OBJECT: { @@ -157,10 +157,11 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst break; //these take up no additional space case AMF_DATA_TYPE_MIXEDARRAY: url_fskip(ioc, 4); //skip 32-bit max array index - while(url_ftell(ioc) < max_pos - 2 && amf_get_string(ioc, str_val, sizeof(str_val)) > 0) { + while(url_ftell(ioc) < max_pos - 2 && amf_get_string(ioc, &str) > 0) { //this is the only case in which we would want a nested parse to not skip over the object - if(amf_parse_object(s, astream, vstream, str_val, max_pos, depth + 1) < 0) + if(amf_parse_object(s, astream, vstream, str, max_pos, depth + 1) < 0) return -1; + av_freep(&str); } if(get_byte(ioc) != AMF_END_OF_OBJECT) return -1; @@ -187,16 +188,15 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst vcodec = vstream ? vstream->codec : NULL; if(amf_type == AMF_DATA_TYPE_BOOL) { - av_strlcpy(str_val, num_val > 0 ? "true" : "false", sizeof(str_val)); - av_metadata_set(&s->metadata, key, str_val); + av_metadata_set2(&s->metadata, key, av_d2str(num_val), AV_METADATA_DONT_STRDUP_VAL); } else if(amf_type == AMF_DATA_TYPE_NUMBER) { - snprintf(str_val, sizeof(str_val), "%.f", num_val); - av_metadata_set(&s->metadata, key, str_val); + av_metadata_set2(&s->metadata, key, av_d2str(num_val), AV_METADATA_DONT_STRDUP_VAL); if(!strcmp(key, "duration")) s->duration = num_val * AV_TIME_BASE; else if(!strcmp(key, "videodatarate") && vcodec && 0 <= (int)(num_val * 1024.0)) vcodec->bit_rate = num_val * 1024.0; } else if (amf_type == AMF_DATA_TYPE_STRING) - av_metadata_set(&s->metadata, key, str_val); + av_metadata_set2(&s->metadata, key, str, + AV_METADATA_DONT_STRDUP_VAL); } return 0; @@ -207,7 +207,7 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) { AVStream *stream, *astream, *vstream; ByteIOContext *ioc; int i; - char buffer[11]; //only needs to hold the string "onMetaData". Anything longer is something we don't want. + char *buf = NULL; //only needs to hold the string "onMetaData". Anything longer is something we don't want. astream = NULL; vstream = NULL; @@ -215,8 +215,11 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) { //first object needs to be "onMetaData" string type = get_byte(ioc); - if(type != AMF_DATA_TYPE_STRING || amf_get_string(ioc, buffer, sizeof(buffer)) < 0 || strcmp(buffer, "onMetaData")) + if (type != AMF_DATA_TYPE_STRING || + amf_get_string(ioc, &buf) < 0 || strcmp(buf, "onMetaData")) { + av_freep(&buf); return -1; + } //find the streams now so that amf_parse_object doesn't need to do the lookup every time it is called. for(i = 0; i < s->nb_streams; i++) { @@ -226,8 +229,9 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) { } //parse the second object (we want a mixed array) - if(amf_parse_object(s, astream, vstream, buffer, next_pos, 0) < 0) + if(amf_parse_object(s, astream, vstream, buf, next_pos, 0) < 0) return -1; + av_freep(&buf); return 0; } diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index fd23cb06b9..6222962019 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -102,10 +102,9 @@ vorbis_comment(AVFormatContext * as, uint8_t *buf, int size) memcpy(ct, v, vl); ct[vl] = 0; - av_metadata_set(&as->metadata, tt, ct); - - av_freep(&tt); - av_freep(&ct); + av_metadata_set2(&as->metadata, tt, ct, + AV_METADATA_DONT_STRDUP_KEY | + AV_METADATA_DONT_STRDUP_VAL); } } diff --git a/libavformat/soxdec.c b/libavformat/soxdec.c index 59c0278ce2..ceaedec293 100644 --- a/libavformat/soxdec.c +++ b/libavformat/soxdec.c @@ -93,15 +93,16 @@ static int sox_read_header(AVFormatContext *s, return -1; } - if (comment_size && - comment_size + FF_INPUT_BUFFER_PADDING_SIZE >= comment_size) { - char *comment = av_mallocz(comment_size + FF_INPUT_BUFFER_PADDING_SIZE); + if (comment_size && comment_size < UINT_MAX) { + char *comment = av_malloc(comment_size+1); if (get_buffer(pb, comment, comment_size) != comment_size) { av_freep(&comment); return AVERROR_IO; } - av_metadata_set(&s->metadata, "comment", comment); - av_freep(&comment); + comment[comment_size] = 0; + + av_metadata_set2(&s->metadata, "comment", comment, + AV_METADATA_DONT_STRDUP_VAL); } url_fskip(pb, header_size - SOX_FIXED_HDR - comment_size); diff --git a/libavformat/vqf.c b/libavformat/vqf.c index d2b48dda04..40fea47157 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -45,15 +45,18 @@ static int vqf_probe(AVProbeData *probe_packet) static void add_metadata(AVFormatContext *s, const char *tag, unsigned int tag_len, unsigned int remaining) { - char buf[2048]; - int len = FFMIN3(tag_len, remaining, sizeof(buf) - 1); + int len = FFMIN(tag_len, remaining); + char *buf; - if (len != tag_len) - av_log(s, AV_LOG_ERROR, "Warning: truncating metadata!\n"); + if (len == UINT_MAX) + return; + buf = av_malloc(len+1); + if (!buf) + return; get_buffer(s->pb, buf, len); buf[len] = 0; - av_metadata_set(&s->metadata, tag, buf); + av_metadata_set2(&s->metadata, tag, buf, AV_METADATA_DONT_STRDUP_VAL); } static int vqf_read_header(AVFormatContext *s, AVFormatParameters *ap) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index 5369057dd4..502ff52564 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -140,10 +140,9 @@ static int wc3_read_header(AVFormatContext *s, unsigned int fourcc_tag; unsigned int size; AVStream *st; - char buffer[513]; int ret = 0; int current_palette = 0; - int bytes_to_read; + char *buffer; int i; unsigned char rotate; @@ -185,14 +184,14 @@ static int wc3_read_header(AVFormatContext *s, case BNAM_TAG: /* load up the name */ - if ((unsigned)size < 512) - bytes_to_read = size; - else - bytes_to_read = 512; - if ((ret = get_buffer(pb, buffer, bytes_to_read)) != bytes_to_read) + buffer = av_malloc(size+1); + if (!buffer) + return AVERROR_NOMEM; + if ((ret = get_buffer(pb, buffer, size)) != size) return AVERROR(EIO); - buffer[bytes_to_read] = 0; - av_metadata_set(&s->metadata, "title", buffer); + buffer[size] = 0; + av_metadata_set2(&s->metadata, "title", buffer, + AV_METADATA_DONT_STRDUP_VAL); break; case SIZE_TAG: |