Message ID | 20171125201126.4863-1-jstebbins@jetheaddev.com |
---|---|
State | Accepted |
Commit | 2d015d3bf9fed59c65a3819a35fedbb8b7dde623 |
Headers | show |
2017-11-25 21:11 GMT+01:00 John Stebbins <jstebbins@jetheaddev.com>: > An invalid file may cause huge alloc. Delay expansion of ctts entries > until the number of samples is known in mov_build_index. Please mention zhao dongzhuo from ADlab of Venustech who found this issue, I can confirm that the memory allocation gets fixed. Carl Eugen
On 11/25/2017 04:03 PM, Carl Eugen Hoyos wrote: > 2017-11-25 21:11 GMT+01:00 John Stebbins <jstebbins@jetheaddev.com>: >> An invalid file may cause huge alloc. Delay expansion of ctts entries >> until the number of samples is known in mov_build_index. > Please mention zhao dongzhuo from ADlab of Venustech who found this > issue, I can confirm that the memory allocation gets fixed. > > Sure. Should I amend the commit message to add something like, "Thanks to zhao dongzhuo from ADlab of Venustech for reporting this issue"?
On 11/25/2017 10:00 PM, John Stebbins wrote: > On 11/25/2017 04:03 PM, Carl Eugen Hoyos wrote: >> 2017-11-25 21:11 GMT+01:00 John Stebbins <jstebbins@jetheaddev.com>: >>> An invalid file may cause huge alloc. Delay expansion of ctts entries >>> until the number of samples is known in mov_build_index. >> Please mention zhao dongzhuo from ADlab of Venustech who found this >> issue, I can confirm that the memory allocation gets fixed. >> >> > > Sure. Should I amend the commit message to add something like, "Thanks to zhao dongzhuo from ADlab of Venustech for > reporting this issue"? Or just a "Found-by:" line. See commit 837cb4325b712ff1aab531bf41668933f61d75d2 for an example.
On 11/25/2017 05:03 PM, James Almer wrote: > On 11/25/2017 10:00 PM, John Stebbins wrote: >> On 11/25/2017 04:03 PM, Carl Eugen Hoyos wrote: >>> 2017-11-25 21:11 GMT+01:00 John Stebbins <jstebbins@jetheaddev.com>: >>>> An invalid file may cause huge alloc. Delay expansion of ctts entries >>>> until the number of samples is known in mov_build_index. >>> Please mention zhao dongzhuo from ADlab of Venustech who found this >>> issue, I can confirm that the memory allocation gets fixed. >>> >>> >> Sure. Should I amend the commit message to add something like, "Thanks to zhao dongzhuo from ADlab of Venustech for >> reporting this issue"? > Or just a "Found-by:" line. > > Is there some git magic for this, or is this just something you add manually to the bottom of the commit message?
On 11/26/2017 3:10 PM, John Stebbins wrote:
> Is there some git magic for this, or is this just something you add manually to the bottom of the commit message?
It's just manual.
- Derek
diff --git a/libavformat/mov.c b/libavformat/mov.c index ddb1e59b85..7a7fd13099 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2896,7 +2896,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; MOVStreamContext *sc; - unsigned int i, j, entries, ctts_count = 0; + unsigned int i, entries, ctts_count = 0; if (c->fc->nb_streams < 1) return 0; @@ -2929,9 +2929,8 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) continue; } - /* Expand entries such that we have a 1-1 mapping with samples. */ - for (j = 0; j < count; j++) - add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size, 1, duration); + add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size, + count, duration); av_log(c->fc, AV_LOG_TRACE, "count=%d, duration=%d\n", count, duration); @@ -3580,6 +3579,8 @@ static void mov_build_index(MOVContext *mov, AVStream *st) unsigned int stps_index = 0; unsigned int i, j; uint64_t stream_size = 0; + MOVStts *ctts_data_old = sc->ctts_data; + unsigned int ctts_count_old = sc->ctts_count; if (sc->elst_count) { int i, edit_start_index = 0, multiple_edits = 0; @@ -3648,6 +3649,28 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } st->index_entries_allocated_size = (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries); + if (ctts_data_old) { + // Expand ctts entries such that we have a 1-1 mapping with samples + if (sc->sample_count >= UINT_MAX / sizeof(*sc->ctts_data)) + return; + sc->ctts_count = 0; + sc->ctts_allocated_size = 0; + sc->ctts_data = av_fast_realloc(NULL, &sc->ctts_allocated_size, + sc->sample_count * sizeof(*sc->ctts_data)); + if (!sc->ctts_data) { + av_free(ctts_data_old); + return; + } + for (i = 0; i < ctts_count_old && + sc->ctts_count < sc->sample_count; i++) + for (j = 0; j < ctts_data_old[i].count && + sc->ctts_count < sc->sample_count; j++) + add_ctts_entry(&sc->ctts_data, &sc->ctts_count, + &sc->ctts_allocated_size, 1, + ctts_data_old[i].duration); + av_free(ctts_data_old); + } + for (i = 0; i < sc->chunk_count; i++) { int64_t next_offset = i+1 < sc->chunk_count ? sc->chunk_offsets[i+1] : INT64_MAX; current_offset = sc->chunk_offsets[i];