eval: replace variable-length array with av_malloc/free

There is a theoretical possibility to pass a very long string to ff_parse, which could crash if allocated from the stack. This allows the allocation to be checked properly. Originally committed as revision 19670 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Måns Rullgård <mans@mansr.com> 2009-08-19 21:59:40 +0000
committer: Måns Rullgård <mans@mansr.com> 2009-08-19 21:59:40 +0000
commit: 0314dead4e7c058568e792842405190c06d71da5 (patch)
tree: f964e5d6e5d7a1e7237b8c736aba30e39bf98ca8 /libavcodec/eval.c
parent: 8313e17976053fee193f79f3278ba656022d4233 (diff)
download: ffmpeg-0314dead4e7c058568e792842405190c06d71da5.tar.gz
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/eval.c b/libavcodec/eval.c
index 95e93107f8..1d52ba582b 100644
--- a/libavcodec/eval.c
+++ b/libavcodec/eval.c
@@ -369,8 +369,12 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name,
                double (**func2)(void *, double, double), const char **func2_name,
                const char **error){
     Parser p;
-    AVEvalExpr * e;
-    char w[strlen(s) + 1], * wp = w;
+    AVEvalExpr *e = NULL;
+    char *w = av_malloc(strlen(s) + 1);
+    char *wp = w;
+
+    if (!w)
+        goto end;
 
     while (*s)
         if (!isspace(*s++)) *wp++ = s[-1];
@@ -388,8 +392,10 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name,
     e = parse_expr(&p);
     if (!verify_expr(e)) {
         ff_eval_free(e);
-        return NULL;
+        e = NULL;
     }
+end:
+    av_free(w);
     return e;
 }
author	Måns Rullgård <mans@mansr.com>	2009-08-19 21:59:40 +0000
committer	Måns Rullgård <mans@mansr.com>	2009-08-19 21:59:40 +0000
commit	0314dead4e7c058568e792842405190c06d71da5 (patch)
tree	f964e5d6e5d7a1e7237b8c736aba30e39bf98ca8 /libavcodec/eval.c
parent	8313e17976053fee193f79f3278ba656022d4233 (diff)
download	ffmpeg-0314dead4e7c058568e792842405190c06d71da5.tar.gz