[libav-devel] [PATCH] nut: check memory allocations

Nidhi Makhijani nidhimj22 at gmail.com
Thu Jun 19 13:53:33 CEST 2014


---
 libavformat/nutdec.c | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 838c181..aca9f2e 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -205,6 +205,7 @@ static int decode_main_header(NUTContext *nut)
 {
     AVFormatContext *s = nut->avf;
     AVIOContext *bc    = s->pb;
+    AVStream *st;
     uint64_t tmp, end;
     unsigned int stream_count;
     int i, j, count;
@@ -231,6 +232,8 @@ static int decode_main_header(NUTContext *nut)
     GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational));
     nut->time_base = av_malloc(nut->time_base_count * sizeof(AVRational));
 
+    if (!nut->time_base)
+        return AVERROR(ENOMEM);
     for (i = 0; i < nut->time_base_count; i++) {
         GET_V(nut->time_base[i].num, tmp > 0 && tmp < (1ULL << 31));
         GET_V(nut->time_base[i].den, tmp > 0 && tmp < (1ULL << 31));
@@ -313,7 +316,8 @@ static int decode_main_header(NUTContext *nut)
             }
             hdr = av_malloc(nut->header_len[i]);
             if (!hdr)
-                return AVERROR(ENOMEM);
+                goto fail;
+
             avio_read(bc, hdr, nut->header_len[i]);
             nut->header[i] = hdr;
         }
@@ -331,10 +335,24 @@ static int decode_main_header(NUTContext *nut)
     }
 
     nut->stream = av_mallocz(sizeof(StreamContext) * stream_count);
-    for (i = 0; i < stream_count; i++)
-        avformat_new_stream(s, NULL);
+    if (!nut->stream)
+        goto fail;
+    for (i = 0; i < stream_count; i++) {
+        st = avformat_new_stream(s, NULL);
+        if (!st) {
+            av_free(nut->stream);
+            i = nut->header_count;
+            goto fail;
+        }
+    }
 
     return 0;
+
+fail:
+    av_free(nut->time_base);
+    for (j = 1; j < i; j++)
+        av_freep(&nut->header_len[j]);
+    return AVERROR(ENOMEM);
 }
 
 static int decode_stream_header(NUTContext *nut)
@@ -405,6 +423,10 @@ static int decode_stream_header(NUTContext *nut)
     if (st->codec->extradata_size) {
         st->codec->extradata = av_mallocz(st->codec->extradata_size +
                                           FF_INPUT_BUFFER_PADDING_SIZE);
+        if (!st->codec->extradata) {
+            st->codec->extradata_size = 0;
+            return AVERROR(ENOMEM);
+        }
         avio_read(bc, st->codec->extradata, st->codec->extradata_size);
     }
 
@@ -599,6 +621,10 @@ static int find_and_decode_index(NUTContext *nut)
     GET_V(syncpoint_count, tmp < INT_MAX / 8 && tmp > 0);
     syncpoints   = av_malloc(sizeof(int64_t) *  syncpoint_count);
     has_keyframe = av_malloc(sizeof(int8_t)  * (syncpoint_count + 1));
+    if (!syncpoints || !has_keyframe) {
+        ret = AVERROR(ENOMEM);
+        goto fail;
+    }
     for (i = 0; i < syncpoint_count; i++) {
         syncpoints[i] = ffio_read_varlen(bc);
         if (syncpoints[i] <= 0)
@@ -812,7 +838,7 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
 {
     AVFormatContext *s = nut->avf;
     AVIOContext *bc    = s->pb;
-    int size, stream_id, discard;
+    int size, stream_id, discard, ret;
     int64_t pts, last_IP_pts;
     StreamContext *stc;
     uint8_t header_idx;
@@ -837,7 +863,9 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
         return 1;
     }
 
-    av_new_packet(pkt, size + nut->header_len[header_idx]);
+    ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
+    if (ret < 0)
+        return ret;
     memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
     pkt->pos = avio_tell(bc); // FIXME
     avio_read(bc, pkt->data + nut->header_len[header_idx], size);
-- 
1.9.1



More information about the libav-devel mailing list