Commit 9a600590 authored by michael's avatar michael

Fix heap overflow with -async.

Fixes issue1666


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@21390 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent d69fe9a2
...@@ -563,6 +563,7 @@ static void do_audio_out(AVFormatContext *s, ...@@ -563,6 +563,7 @@ static void do_audio_out(AVFormatContext *s,
{ {
uint8_t *buftmp; uint8_t *buftmp;
int64_t audio_out_size, audio_buf_size; int64_t audio_out_size, audio_buf_size;
int64_t allocated_for_size= size;
int size_out, frame_bytes, ret; int size_out, frame_bytes, ret;
AVCodecContext *enc= ost->st->codec; AVCodecContext *enc= ost->st->codec;
...@@ -571,7 +572,8 @@ static void do_audio_out(AVFormatContext *s, ...@@ -571,7 +572,8 @@ static void do_audio_out(AVFormatContext *s,
int isize= av_get_bits_per_sample_format(dec->sample_fmt)/8; int isize= av_get_bits_per_sample_format(dec->sample_fmt)/8;
const int coded_bps = av_get_bits_per_sample(enc->codec->id); const int coded_bps = av_get_bits_per_sample(enc->codec->id);
audio_buf_size= (size + isize*dec->channels - 1) / (isize*dec->channels); need_realloc:
audio_buf_size= (allocated_for_size + isize*dec->channels - 1) / (isize*dec->channels);
audio_buf_size= (audio_buf_size*enc->sample_rate + dec->sample_rate) / dec->sample_rate; audio_buf_size= (audio_buf_size*enc->sample_rate + dec->sample_rate) / dec->sample_rate;
audio_buf_size= audio_buf_size*2 + 10000; //safety factors for the deprecated resampling API audio_buf_size= audio_buf_size*2 + 10000; //safety factors for the deprecated resampling API
audio_buf_size*= osize*enc->channels; audio_buf_size*= osize*enc->channels;
...@@ -649,10 +651,11 @@ static void do_audio_out(AVFormatContext *s, ...@@ -649,10 +651,11 @@ static void do_audio_out(AVFormatContext *s,
static uint8_t *input_tmp= NULL; static uint8_t *input_tmp= NULL;
input_tmp= av_realloc(input_tmp, byte_delta + size); input_tmp= av_realloc(input_tmp, byte_delta + size);
if(byte_delta + size <= MAX_AUDIO_PACKET_SIZE) if(byte_delta > allocated_for_size - size){
ist->is_start=0; allocated_for_size= byte_delta + (int64_t)size;
else goto need_realloc;
byte_delta= MAX_AUDIO_PACKET_SIZE - size; }
ist->is_start=0;
memset(input_tmp, 0, byte_delta); memset(input_tmp, 0, byte_delta);
memcpy(input_tmp + byte_delta, buf, size); memcpy(input_tmp + byte_delta, buf, size);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment