avcodec/utils: fix sizeof(AVFrame) dependence in avcodec_encode_audio2()

This is a bit tricky, we allocate a correctly sized AVFrame but then only copy the compile time AVFrame size, this is to ensure that user applications which do not use the correct av frame API dont end with out of array reads. Note, applications using the correct API have set extended_data and the changed code will never be executed for them. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/utils: fix sizeof(AVFrame) dependence in avcodec_encode_audio2()
This is a bit tricky, we allocate a correctly sized AVFrame but then only copy the compile time AVFrame size, this is to ensure that user applications which do not use the correct av frame API dont end with out of array reads. Note, applications using the correct API have set extended_data and the changed code will never be executed for them. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8ab80707 · Michael Niedermayer · aa1f3801 · 8ab80707
Commit 8ab80707 authored Mar 17, 2014 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 6 deletions

utils.c libavcodec/utils.c +12 -6

No files found.
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1615,7 +1615,7 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx,
                                              const AVFrame *frame,
                                              int *got_packet_ptr)
 {
-    AVFrame tmp;
+    AVFrame *extended_frame = NULL;
    AVFrame *padded_frame = NULL;
    int ret;
    AVPacket user_pkt = *avpkt;
@@ -1640,9 +1640,13 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx,
        }
        av_log(avctx, AV_LOG_WARNING, "extended_data is not set.\n");
-        tmp = *frame;
+        extended_frame = av_frame_alloc();
-        tmp.extended_data = tmp.data;
+        if (!extended_frame)
-        frame = &tmp;
+            return AVERROR(ENOMEM);
+        memcpy(extended_frame, frame, sizeof(AVFrame));
+        extended_frame->extended_data = extended_frame->data;
+        frame = extended_frame;
    }
    /* check for valid frame size */
@@ -1650,14 +1654,15 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx,
        if (avctx->codec->capabilities & CODEC_CAP_SMALL_LAST_FRAME) {
            if (frame->nb_samples > avctx->frame_size) {
                av_log(avctx, AV_LOG_ERROR, "more samples than frame size (avcodec_encode_audio2)\n");
-                return AVERROR(EINVAL);
+                ret = AVERROR(EINVAL);
+                goto end;
            }
        } else if (!(avctx->codec->capabilities & CODEC_CAP_VARIABLE_FRAME_SIZE)) {
            if (frame->nb_samples < avctx->frame_size &&
                !avctx->internal->last_audio_frame) {
                ret = pad_last_frame(avctx, &padded_frame, frame);
                if (ret < 0)
-                    return ret;
+                    goto end;
                frame = padded_frame;
                avctx->internal->last_audio_frame = 1;
@@ -1729,6 +1734,7 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx,
 end:
    av_frame_free(&padded_frame);
+    av_free(extended_frame);
    return ret;
 }