malloc() is allowed to return NULL when zero is the argument. This
causes us to think malloc has failed and return AVERROR(ENOMEM). In
addition OS X malloc() returns an unfreeable non-NULL pointer for size
zero.
---
libavformat/mov.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index e2bb4d6..a0b0794 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -915,6 +915,8 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
entries = avio_rb32(pb);
+ if (!entries)
+ return 0;
if (entries >= UINT_MAX/sizeof(int64_t))
return -1;
@@ -1336,6 +1338,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
av_dlog(c->fc, "track[%i].stsc.entries = %i\n", c->fc->nb_streams-1,
entries);
+ if (!entries)
+ return 0;
if (entries >= UINT_MAX / sizeof(*sc->stsc_data))
return -1;
sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data));
@@ -1451,6 +1455,8 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
return -1;
}
+ if (!entries)
+ return 0;
if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
field_size)
return -1;
sc->sample_sizes = av_malloc(entries * sizeof(int));
@@ -1550,6 +1556,8 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
av_dlog(c->fc, "track[%i].ctts.entries = %i\n", c->fc->nb_streams-1,
entries);
+ if (!entries)
+ return 0;
if (entries >= UINT_MAX / sizeof(*sc->ctts_data))
return -1;
sc->ctts_data = av_malloc(entries * sizeof(*sc->ctts_data));
@@ -1609,6 +1617,8 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
current_dts -= sc->dts_shift;
+ if (!sc->sample_count)
+ return;
if (sc->sample_count >= UINT_MAX / sizeof(*st->index_entries))
return;
st->index_entries =
av_malloc(sc->sample_count*sizeof(*st->index_entries));
--
1.7.3.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
