Browse Source
avcodec/ccaption_dec: Use simple array instead of AVBuffer
This is simpler and fixes an out of array read, fixing it with AVBuffers would be more complex Fixes: e00d9e6e50e5495cc93fea41147b97bb/asan_heap-oob_12dcdbb_8798_b32a97ea722dd37bb5066812cc674552.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>tags/n3.2
Michael Niedermayer
9 years ago
1 changed files with 11 additions and 16 deletions
Unified View
Diff Options
-
+11 -16libavcodec/ccaption_dec.c
+ 11
- 16
libavcodec/ccaption_dec.c
View File
| @@ -247,7 +247,8 @@ typedef struct CCaptionSubContext { | |||||
| int64_t last_real_time; | int64_t last_real_time; | ||||
| char prev_cmd[2]; | char prev_cmd[2]; | ||||
| /* buffer to store pkt data */ | /* buffer to store pkt data */ | ||||
| AVBufferRef *pktbuf; | |||||
| uint8_t *pktbuf; | |||||
| int pktbuf_size; | |||||
| int readorder; | int readorder; | ||||
| } CCaptionSubContext; | } CCaptionSubContext; | ||||
| @@ -274,11 +275,7 @@ static av_cold int init_decoder(AVCodecContext *avctx) | |||||
| if (ret < 0) { | if (ret < 0) { | ||||
| return ret; | return ret; | ||||
| } | } | ||||
| /* allocate pkt buffer */ | |||||
| ctx->pktbuf = av_buffer_alloc(128); | |||||
| if (!ctx->pktbuf) { | |||||
| ret = AVERROR(ENOMEM); | |||||
| } | |||||
| return ret; | return ret; | ||||
| } | } | ||||
| @@ -286,7 +283,8 @@ static av_cold int close_decoder(AVCodecContext *avctx) | |||||
| { | { | ||||
| CCaptionSubContext *ctx = avctx->priv_data; | CCaptionSubContext *ctx = avctx->priv_data; | ||||
| av_bprint_finalize(&ctx->buffer, NULL); | av_bprint_finalize(&ctx->buffer, NULL); | ||||
| av_buffer_unref(&ctx->pktbuf); | |||||
| av_freep(&ctx->pktbuf); | |||||
| ctx->pktbuf_size = 0; | |||||
| return 0; | return 0; | ||||
| } | } | ||||
| @@ -759,16 +757,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp | |||||
| int ret = 0; | int ret = 0; | ||||
| int i; | int i; | ||||
| if (ctx->pktbuf->size < len) { | |||||
| ret = av_buffer_realloc(&ctx->pktbuf, len); | |||||
| if (ret < 0) { | |||||
| av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size); | |||||
| len = ctx->pktbuf->size; | |||||
| ret = 0; | |||||
| } | |||||
| av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len); | |||||
| if (!ctx->pktbuf) { | |||||
| av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size); | |||||
| return AVERROR(ENOMEM); | |||||
| } | } | ||||
| memcpy(ctx->pktbuf->data, avpkt->data, len); | |||||
| bptr = ctx->pktbuf->data; | |||||
| memcpy(ctx->pktbuf, avpkt->data, len); | |||||
| bptr = ctx->pktbuf; | |||||
| for (i = 0; i < len; i += 3) { | for (i = 0; i < len; i += 3) { | ||||
| uint8_t cc_type = *(bptr + i) & 3; | uint8_t cc_type = *(bptr + i) & 3; | ||||