[FFmpeg-cvslog] r19670 - trunk/libavcodec/eval.c
mru
subversion
Wed Aug 19 23:59:41 CEST 2009
Author: mru
Date: Wed Aug 19 23:59:40 2009
New Revision: 19670
Log:
eval: replace variable-length array with av_malloc/free
There is a theoretical possibility to pass a very long string to ff_parse,
which could crash if allocated from the stack. This allows the allocation
to be checked properly.
Modified:
trunk/libavcodec/eval.c
Modified: trunk/libavcodec/eval.c
==============================================================================
--- trunk/libavcodec/eval.c Wed Aug 19 23:59:36 2009 (r19669)
+++ trunk/libavcodec/eval.c Wed Aug 19 23:59:40 2009 (r19670)
@@ -369,8 +369,12 @@ AVEvalExpr * ff_parse(const char *s, con
double (**func2)(void *, double, double), const char **func2_name,
const char **error){
Parser p;
- AVEvalExpr * e;
- char w[strlen(s) + 1], * wp = w;
+ AVEvalExpr *e = NULL;
+ char *w = av_malloc(strlen(s) + 1);
+ char *wp = w;
+
+ if (!w)
+ goto end;
while (*s)
if (!isspace(*s++)) *wp++ = s[-1];
@@ -388,8 +392,10 @@ AVEvalExpr * ff_parse(const char *s, con
e = parse_expr(&p);
if (!verify_expr(e)) {
ff_eval_free(e);
- return NULL;
+ e = NULL;
}
+end:
+ av_free(w);
return e;
}
More information about the ffmpeg-cvslog
mailing list