[FFmpeg-devel] [PATCH] use av_mallocz() in vorbis_comment()

Justin Ruggles justin.ruggles
Thu Feb 12 12:13:23 CET 2009


Benoit Fouet wrote:
> On 02/12/2009 03:45 AM, Justin Ruggles wrote:
>> M?ns Rullg?rd wrote:
>>   
>>> Justin Ruggles <justin.ruggles at gmail.com> writes:
>>>
>>>     
>>>> Hi,
>>>>
>>>> This patch avoids allocating memory on the stack based on decoded stream
>>>> values which can be up to 32-bit.  Mans has pointed out that the current
>>>> version is not a security risk, it would just crash with SIGSEGV for
>>>> really large metadata.  This patch skips the single metadata tag if
>>>> allocation fails and continues try to the next tag.
>>>>
>>>> Thanks,
>>>> Justin
>>>>
>>>>
>>>> Index: libavformat/oggparsevorbis.c
>>>> ===================================================================
>>>> --- libavformat/oggparsevorbis.c	(revision 17145)
>>>> +++ libavformat/oggparsevorbis.c	(working copy)
>>>> @@ -71,15 +71,21 @@
>>>>          v++;
>>>>  
>>>>          if (tl && vl) {
>>>> -            char tt[tl + 1];
>>>> -            char ct[vl + 1];
>>>> +            char *tt, *ct;
>>>>  
>>>> +            tt = av_mallocz(tl + 1);
>>>> +            ct = av_mallocz(vl + 1);
>>>>       
>>> Why mallocz?  It's being written again immediately below.
>>>     
>> No particular reason. New patch attached.
>>
>>   
> 
> isn't this patch missing some av_freep ?

oops... new patch attached.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vorbiscomment_av_malloc.diff
Type: text/x-diff
Size: 943 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090212/f3e300e5/attachment.diff>



More information about the ffmpeg-devel mailing list