From 55ae13e3deffa21027a44f31b4ae2f53a4fa7426 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Tue, 22 Oct 2013 16:11:11 +0100 Subject: [PATCH] nut: Fix unchecked allocations Signed-off-by: Derek Buitenhuis --- libavformat/nut.c | 10 +++++++++- libavformat/nut.h | 2 +- libavformat/nutdec.c | 5 ++++- libavformat/nutenc.c | 3 ++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/libavformat/nut.c b/libavformat/nut.c index 7e7997998f..8b8a4cb8ac 100644 --- a/libavformat/nut.c +++ b/libavformat/nut.c @@ -227,11 +227,17 @@ int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b) return ((a->ts - b->ts) >> 32) - ((b->ts - a->ts) >> 32); } -void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts) +int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts) { Syncpoint *sp = av_mallocz(sizeof(Syncpoint)); struct AVTreeNode *node = av_tree_node_alloc(); + if (!sp || !node) { + av_freep(&sp); + av_freep(&node); + return AVERROR(ENOMEM); + } + nut->sp_count++; sp->pos = pos; @@ -242,6 +248,8 @@ void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts) av_free(sp); av_free(node); } + + return 0; } static int enu_free(void *opaque, void *elem) diff --git a/libavformat/nut.h b/libavformat/nut.h index dc5af15a57..da456ac5b0 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -122,7 +122,7 @@ void ff_nut_reset_ts(NUTContext *nut, AVRational time_base, int64_t val); int64_t ff_lsb2full(StreamContext *stream, int64_t lsb); int ff_nut_sp_pos_cmp(const Syncpoint *a, const Syncpoint *b); int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b); -void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts); +int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts); void ff_nut_free_sp(NUTContext *nut); extern const Dispositions ff_nut_dispositions[]; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index f380279343..aa7ca676fb 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -558,6 +558,7 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr) AVIOContext *bc = s->pb; int64_t end; uint64_t tmp; + int ret; nut->last_syncpoint_pos = avio_tell(bc) - 8; @@ -579,7 +580,9 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr) *ts = tmp / nut->time_base_count * av_q2d(nut->time_base[tmp % nut->time_base_count]) * AV_TIME_BASE; - ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts); + + if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts)) < 0) + return ret; return 0; } diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index f24813b8ea..b6d754d595 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -858,7 +858,8 @@ static int nut_write_packet(AVFormatContext *s, AVPacket *pkt) ff_put_v(dyn_bc, sp ? (nut->last_syncpoint_pos - sp->pos) >> 4 : 0); put_packet(nut, bc, dyn_bc, 1, SYNCPOINT_STARTCODE); - ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts); + if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts)) < 0) + return ret; if ((1ll<<60) % nut->sp_count == 0) for (i=0; inb_streams; i++) {