integer overflows, heap corruption

possible arbitrary code execution cannot be ruled out in some cases precautionary checks Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
commit: 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree: 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/http.c
parent: 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download: ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/libavformat/http.c b/libavformat/http.c
index d8ab4d3f44..85b1f319bd 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -290,12 +290,16 @@ URLProtocol http_protocol = {
 static char *b64_encode( unsigned char *src )
 {
     static const char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-                                                                                
-    char *dst = av_malloc( strlen( src ) * 4 / 3 + 12 );
-    char *ret = dst;
+    unsigned int len= strlen(src);
+    char *ret, *dst;
     unsigned i_bits = 0;
     unsigned i_shift = 0;
-                                                                                
+
+    if(len < UINT_MAX/4){
+        ret=dst= av_malloc( len * 4 / 3 + 12 );
+    }else
+        return NULL;
+
     for( ;; )
     {
         if( *src )
author	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
commit	568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree	18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/http.c
parent	934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download	ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz