summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim-Philipp Müller <tim.muller@collabora.co.uk>2009-08-20 17:21:59 (GMT)
committerTim-Philipp Müller <tim.muller@collabora.co.uk>2009-09-24 15:29:26 (GMT)
commitf65e6ea3a17f98b5bcf799a1c418198028b548a1 (patch)
treea98070df493481da169298fd5284db00795d4985
parentabaf91e428e597e0209fcbf156fd5fac8a16e658 (diff)
downloadgst-plugins-good-f65e6ea3a17f98b5bcf799a1c418198028b548a1.tar.gz
gst-plugins-good-f65e6ea3a17f98b5bcf799a1c418198028b548a1.tar.xz
qtdemux: bail out instead of trying to alloc silly index sizes
If it looks like we would be allocating a silly size for our sample index, just bail out instead of trying to allocate it. Helps with broken or fuzzed files where we might end up trying to malloc a couple of hundred MBs otherwise.
-rw-r--r--gst/qtdemux/qtdemux.c23
1 files changed, 20 insertions, 3 deletions
diff --git a/gst/qtdemux/qtdemux.c b/gst/qtdemux/qtdemux.c
index 5193ca5..32c32f9 100644
--- a/gst/qtdemux/qtdemux.c
+++ b/gst/qtdemux/qtdemux.c
@@ -66,6 +66,9 @@
/* max. size considered 'sane' for non-mdat atoms */
#define QTDEMUX_MAX_ATOM_SIZE (25*1024*1024)
+/* if the sample index is larger than this, something is likely wrong */
+#define QTDEMUX_MAX_SAMPLE_INDEX_SIZE (50*1024*1024)
+
GST_DEBUG_CATEGORY (qtdemux_debug);
/*typedef struct _QtNode QtNode; */
@@ -3570,8 +3573,11 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
if (n_samples == 0)
goto no_samples;
- GST_DEBUG_OBJECT (qtdemux, "stsz sample_size 0, allocating n_samples %u",
- n_samples);
+ GST_DEBUG_OBJECT (qtdemux, "stsz sample_size 0, allocating n_samples %u "
+ "(%u MB)", n_samples, (n_samples * sizeof (QtDemuxSample)) >> 20);
+
+ if (n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ goto index_too_big;
samples = g_try_new0 (QtDemuxSample, n_samples);
if (samples == NULL)
@@ -3795,7 +3801,11 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
if (n_samples == 0)
goto no_samples;
- GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %d", n_samples);
+ GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u (%u MB)", n_samples,
+ (n_samples * sizeof (QtDemuxSample)) >> 20);
+
+ if (n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ goto index_too_big;
samples = g_try_new0 (QtDemuxSample, n_samples);
if (samples == NULL)
@@ -3940,6 +3950,13 @@ out_of_memory:
GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", n_samples);
return FALSE;
}
+index_too_big:
+ {
+ GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would "
+ "be larger than %uMB (broken file?)", n_samples,
+ QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20);
+ return FALSE;
+ }
}
/* collect all segment info for @stream.