[FFmpeg-devel] [PATCH v3] avutil/frame: Use av_realloc_array()
Michael Niedermayer
michael at niedermayer.cc
Tue Apr 7 17:15:59 EEST 2020
On Thu, Dec 26, 2019 at 08:33:38AM +0800, lance.lmwang at gmail.com wrote:
> From: Limin Wang <lance.lmwang at gmail.com>
>
> Signed-off-by: Limin Wang <lance.lmwang at gmail.com>
> ---
> libavutil/frame.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/libavutil/frame.c b/libavutil/frame.c
> index e403809..2e763ef 100644
> --- a/libavutil/frame.c
> +++ b/libavutil/frame.c
> @@ -696,11 +696,8 @@ AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame *frame,
> if (!buf)
> return NULL;
>
> - if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1)
> - return NULL;
> -
> - tmp = av_realloc(frame->side_data,
> - (frame->nb_side_data + 1) * sizeof(*frame->side_data));
> + tmp = av_realloc_array(frame->side_data,
> + frame->nb_side_data + 1, sizeof(*frame->side_data));
this depends on undocumented behavior of
av_realloc_array() checking against INT_MAX, also theres a patch to increase
this undocumented limit on the ML. This and that other patch would result in
inadequate checking and potential overflow
Thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200407/35228f47/attachment.sig>
More information about the ffmpeg-devel
mailing list