diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2005-01-08 14:21:33 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2005-01-08 14:21:33 +0000 |
| commit | 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch) | |
| tree | 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/utils.c | |
| parent | 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff) | |
| download | ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz | |
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/utils.c')
| -rw-r--r-- | libavformat/utils.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c index c889b3384f..8366b35c38 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -180,7 +180,10 @@ static void av_destruct_packet(AVPacket *pkt) */ int av_new_packet(AVPacket *pkt, int size) { - void *data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); + void *data; + if((unsigned)size > (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_NOMEM; + data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); if (!data) return AVERROR_NOMEM; memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE); @@ -200,6 +203,8 @@ int av_dup_packet(AVPacket *pkt) uint8_t *data; /* we duplicate the packet and don't forget to put the padding again */ + if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_NOMEM; data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE); if (!data) { return AVERROR_NOMEM; @@ -277,8 +282,8 @@ int fifo_read(FifoBuffer *f, uint8_t *buf, int buf_size, uint8_t **rptr_ptr) return 0; } -void fifo_realloc(FifoBuffer *f, int new_size){ - int old_size= f->end - f->buffer; +void fifo_realloc(FifoBuffer *f, unsigned int new_size){ + unsigned int old_size= f->end - f->buffer; if(old_size < new_size){ uint8_t *old= f->buffer; @@ -1007,10 +1012,16 @@ int av_add_index_entry(AVStream *st, AVIndexEntry *entries, *ie; int index; + if((unsigned)st->nb_index_entries + 1 >= UINT_MAX / sizeof(AVIndexEntry)) + return -1; + entries = av_fast_realloc(st->index_entries, &st->index_entries_allocated_size, (st->nb_index_entries + 1) * sizeof(AVIndexEntry)); + if(!entries) + return -1; + st->index_entries= entries; index= av_index_search_timestamp(st, timestamp, 0); |