aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMåns Rullgård <mans@mansr.com>2009-08-19 21:59:40 +0000
committerMåns Rullgård <mans@mansr.com>2009-08-19 21:59:40 +0000
commit0314dead4e7c058568e792842405190c06d71da5 (patch)
treef964e5d6e5d7a1e7237b8c736aba30e39bf98ca8
parent8313e17976053fee193f79f3278ba656022d4233 (diff)
downloadffmpeg-0314dead4e7c058568e792842405190c06d71da5.tar.gz
eval: replace variable-length array with av_malloc/free
There is a theoretical possibility to pass a very long string to ff_parse, which could crash if allocated from the stack. This allows the allocation to be checked properly. Originally committed as revision 19670 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/eval.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/eval.c b/libavcodec/eval.c
index 95e93107f8..1d52ba582b 100644
--- a/libavcodec/eval.c
+++ b/libavcodec/eval.c
@@ -369,8 +369,12 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name,
double (**func2)(void *, double, double), const char **func2_name,
const char **error){
Parser p;
- AVEvalExpr * e;
- char w[strlen(s) + 1], * wp = w;
+ AVEvalExpr *e = NULL;
+ char *w = av_malloc(strlen(s) + 1);
+ char *wp = w;
+
+ if (!w)
+ goto end;
while (*s)
if (!isspace(*s++)) *wp++ = s[-1];
@@ -388,8 +392,10 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name,
e = parse_expr(&p);
if (!verify_expr(e)) {
ff_eval_free(e);
- return NULL;
+ e = NULL;
}
+end:
+ av_free(w);
return e;
}