Browse code
Fixed segfault on corrupted smacker streams in the demuxer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Laurent Aimar authored on 2011/09/12 01:51:52Showing 1 changed files
| ... | ... |
@@ -291,6 +291,10 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) |
| 291 | 291 |
frame_size -= 4; |
| 292 | 292 |
smk->curstream++; |
| 293 | 293 |
smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); |
| 294 |
+ if (!smk->bufs[smk->curstream]) {
|
|
| 295 |
+ smk->buf_sizes[smk->curstream] = 0; |
|
| 296 |
+ return AVERROR(ENOMEM); |
|
| 297 |
+ } |
|
| 294 | 298 |
smk->buf_sizes[smk->curstream] = size; |
| 295 | 299 |
ret = avio_read(s->pb, smk->bufs[smk->curstream], size); |
| 296 | 300 |
if(ret != size) |
| ... | ... |
@@ -299,7 +303,9 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) |
| 299 | 299 |
} |
| 300 | 300 |
flags >>= 1; |
| 301 | 301 |
} |
| 302 |
- if (av_new_packet(pkt, frame_size + 768)) |
|
| 302 |
+ if (frame_size < 0) |
|
| 303 |
+ return AVERROR_INVALIDDATA; |
|
| 304 |
+ if (av_new_packet(pkt, frame_size + 769)) |
|
| 303 | 305 |
return AVERROR(ENOMEM); |
| 304 | 306 |
if(smk->frm_size[smk->cur_frame] & 1) |
| 305 | 307 |
palchange |= 2; |