From ca402f32e392590a81a1381dab41c4f9c2c2f98a Mon Sep 17 00:00:00 2001 From: Max Horn Date: Tue, 12 Apr 2011 17:44:20 +0200 Subject: handle malloc failures in ff_get_wav_header ff_get_wav_header is reading data from a WAVE file and then uses it (without validation) to malloc a buffer. It then proceeded to read data into the buffer, without verifying that the allocation succeeded. To address this, change ff_get_wav_header to return an error if allocation failed, and adapted all calling code to handle that error. Signed-off-by: Luca Barbato --- libavformat/wav.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'libavformat/wav.c') diff --git a/libavformat/wav.c b/libavformat/wav.c index 47685d466a..21374e8b93 100644 --- a/libavformat/wav.c +++ b/libavformat/wav.c @@ -196,6 +196,7 @@ static int wav_read_header(AVFormatContext *s, AVIOContext *pb = s->pb; AVStream *st; WAVContext *wav = s->priv_data; + int ret; /* check RIFF header */ tag = avio_rl32(pb); @@ -228,7 +229,9 @@ static int wav_read_header(AVFormatContext *s, if (!st) return AVERROR(ENOMEM); - ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(pb, st->codec, size); + if (ret < 0) + return ret; st->need_parsing = AVSTREAM_PARSE_FULL; av_set_pts_info(st, 64, 1, st->codec->sample_rate); @@ -384,6 +387,7 @@ static int w64_read_header(AVFormatContext *s, AVFormatParameters *ap) WAVContext *wav = s->priv_data; AVStream *st; uint8_t guid[16]; + int ret; avio_read(pb, guid, 16); if (memcmp(guid, guid_riff, 16)) @@ -409,7 +413,9 @@ static int w64_read_header(AVFormatContext *s, AVFormatParameters *ap) return AVERROR(ENOMEM); /* subtract chunk header size - normal wav file doesn't count it */ - ff_get_wav_header(pb, st->codec, size - 24); + ret = ff_get_wav_header(pb, st->codec, size - 24); + if (ret < 0) + return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); st->need_parsing = AVSTREAM_PARSE_FULL; -- cgit v1.2.3