From 7a086a852cca662ceb54d88383d74dd366914dd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2010 01:25:19 +0000 Subject: Fix heap overflow with -async. Fixes issue1666 Originally committed as revision 21390 to svn://svn.ffmpeg.org/ffmpeg/trunk --- ffmpeg.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'ffmpeg.c') diff --git a/ffmpeg.c b/ffmpeg.c index ef8311f9f6..011b083ce2 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -563,6 +563,7 @@ static void do_audio_out(AVFormatContext *s, { uint8_t *buftmp; int64_t audio_out_size, audio_buf_size; + int64_t allocated_for_size= size; int size_out, frame_bytes, ret; AVCodecContext *enc= ost->st->codec; @@ -571,7 +572,8 @@ static void do_audio_out(AVFormatContext *s, int isize= av_get_bits_per_sample_format(dec->sample_fmt)/8; const int coded_bps = av_get_bits_per_sample(enc->codec->id); - audio_buf_size= (size + isize*dec->channels - 1) / (isize*dec->channels); +need_realloc: + audio_buf_size= (allocated_for_size + isize*dec->channels - 1) / (isize*dec->channels); audio_buf_size= (audio_buf_size*enc->sample_rate + dec->sample_rate) / dec->sample_rate; audio_buf_size= audio_buf_size*2 + 10000; //safety factors for the deprecated resampling API audio_buf_size*= osize*enc->channels; @@ -649,10 +651,11 @@ static void do_audio_out(AVFormatContext *s, static uint8_t *input_tmp= NULL; input_tmp= av_realloc(input_tmp, byte_delta + size); - if(byte_delta + size <= MAX_AUDIO_PACKET_SIZE) - ist->is_start=0; - else - byte_delta= MAX_AUDIO_PACKET_SIZE - size; + if(byte_delta > allocated_for_size - size){ + allocated_for_size= byte_delta + (int64_t)size; + goto need_realloc; + } + ist->is_start=0; memset(input_tmp, 0, byte_delta); memcpy(input_tmp + byte_delta, buf, size); -- cgit v1.2.3