From 7631341989c7885eb692cf77b92001e757270a82 Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Wed, 13 Jan 2021 09:13:12 +0900 Subject: [PATCH] fix potential crash issue due to sws_scale() - av_malloc() align size and allocate memory for different architecture. and sws_scale() use memory without checking. so if we use g_malloc(), sws_scale() make crash sometimes. we should allocate memory with av_malloc() before using sws_scale(). - ref. https://trac.ffmpeg.org/ticket/5886/ Change-Id: I893578f2c82ed881de1bbcb92595a3e57d5e3c1e --- formats/ffmpeg/mm_file_format_ffmpeg.c | 10 ++++++++-- formats/ffmpeg/mm_file_format_frame.c | 9 +++++++-- include/mm_file_formats.h | 1 + mm_file.c | 11 +++++++++-- 4 files changed, 25 insertions(+), 6 deletions(-) diff --git a/formats/ffmpeg/mm_file_format_ffmpeg.c b/formats/ffmpeg/mm_file_format_ffmpeg.c index fe28c7e..66f1714 100644 --- a/formats/ffmpeg/mm_file_format_ffmpeg.c +++ b/formats/ffmpeg/mm_file_format_ffmpeg.c @@ -847,7 +847,12 @@ int mmfile_format_read_frame_ffmpg(MMFileFormatContext *formatContext, unsigned goto exception; } - frame->frameData = g_malloc0(numBytes); + frame->frameData = av_malloc(numBytes); + if (!frame->frameData) { + debug_error(DEBUG, "error: av_malloc."); + ret = MMFILE_FORMAT_FAIL; + goto exception; + } uint8_t *dst_data[4]; int dst_linesize[4]; @@ -885,6 +890,7 @@ int mmfile_format_read_frame_ffmpg(MMFileFormatContext *formatContext, unsigned frame->frameWidth = width; frame->frameHeight = height; frame->configLenth = 0; + frame->frameDataFree = av_free; if (pFrame) av_frame_free(&pFrame); @@ -897,7 +903,7 @@ exception: if (pVideoCodecCtx) avcodec_free_context(&pVideoCodecCtx); - mmfile_free(frame->frameData); + av_freep(&frame->frameData); if (pFrame) av_frame_free(&pFrame); diff --git a/formats/ffmpeg/mm_file_format_frame.c b/formats/ffmpeg/mm_file_format_frame.c index 5b4517c..f9e402a 100755 --- a/formats/ffmpeg/mm_file_format_frame.c +++ b/formats/ffmpeg/mm_file_format_frame.c @@ -475,7 +475,12 @@ static int __mmfile_get_frame(AVFormatContext *pFormatCtx, goto exception; } - *frame = g_malloc0(*size); + *frame = av_malloc(*size); + if (!(*frame)) { + debug_error(DEBUG, "error: av_malloc."); + ret = MMFILE_FORMAT_FAIL; + goto exception; + } debug_msg(RELEASE, "size : %d", *size); debug_msg(RELEASE, "width : %d", *width); @@ -501,7 +506,7 @@ static int __mmfile_get_frame(AVFormatContext *pFormatCtx, return MMFILE_FORMAT_SUCCESS; exception: - mmfile_free(*frame); + av_freep(frame); if (pFrame) av_frame_free(&pFrame); diff --git a/include/mm_file_formats.h b/include/mm_file_formats.h index 94864c7..cff3dfb 100755 --- a/include/mm_file_formats.h +++ b/include/mm_file_formats.h @@ -90,6 +90,7 @@ typedef struct _mmfileformatframe { unsigned int frameHeight; unsigned int configLenth; unsigned char *frameData; + void (*frameDataFree)(void *); void *configData; unsigned int timestamp; unsigned int frameNumber; diff --git a/mm_file.c b/mm_file.c index ef77535..1ecec7d 100644 --- a/mm_file.c +++ b/mm_file.c @@ -389,6 +389,7 @@ __get_contents_thumbnail(MMFileFormatContext *formatContext) thumbnail->frameWidth = frameContext.frameWidth; thumbnail->frameHeight = frameContext.frameHeight; thumbnail->frameData = frameContext.frameData; + thumbnail->frameDataFree = frameContext.frameDataFree; thumbnail->configLenth = 0; thumbnail->configData = NULL; @@ -402,7 +403,10 @@ __get_contents_thumbnail(MMFileFormatContext *formatContext) return FILEINFO_ERROR_NONE; exception: mmfile_free(thumbnail); - mmfile_free(frameContext.frameData); + if (frameContext.frameDataFree) + frameContext.frameDataFree(frameContext.frameData); + else + mmfile_free(frameContext.frameData); mmfile_free(frameContext.configData); return ret; @@ -473,7 +477,10 @@ but MMFileUtilGetMetaDataFromMP4() Extract just TAG info. That is needed for mm_ _info_set_attr_media(attrs, formatContext); if (formatContext->thumbNail) { - mmfile_free(formatContext->thumbNail->frameData); + if (formatContext->thumbNail->frameDataFree) + formatContext->thumbNail->frameDataFree(formatContext->thumbNail->frameData); + else + mmfile_free(formatContext->thumbNail->frameData); mmfile_free(formatContext->thumbNail->configData); mmfile_free(formatContext->thumbNail); } -- 2.7.4