[FFmpeg-devel] [PATCH] use av_mallocz() in vorbis_comment()

Justin Ruggles justin.ruggles
Thu Feb 12 03:45:39 CET 2009


M?ns Rullg?rd wrote:
> Justin Ruggles <justin.ruggles at gmail.com> writes:
> 
>> Hi,
>>
>> This patch avoids allocating memory on the stack based on decoded stream
>> values which can be up to 32-bit.  Mans has pointed out that the current
>> version is not a security risk, it would just crash with SIGSEGV for
>> really large metadata.  This patch skips the single metadata tag if
>> allocation fails and continues try to the next tag.
>>
>> Thanks,
>> Justin
>>
>>
>> Index: libavformat/oggparsevorbis.c
>> ===================================================================
>> --- libavformat/oggparsevorbis.c	(revision 17145)
>> +++ libavformat/oggparsevorbis.c	(working copy)
>> @@ -71,15 +71,21 @@
>>          v++;
>>  
>>          if (tl && vl) {
>> -            char tt[tl + 1];
>> -            char ct[vl + 1];
>> +            char *tt, *ct;
>>  
>> +            tt = av_mallocz(tl + 1);
>> +            ct = av_mallocz(vl + 1);
> 
> Why mallocz?  It's being written again immediately below.

No particular reason. New patch attached.

-Justin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: vorbiscomment_av_malloc.diff
Type: text/x-diff
Size: 767 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090211/45270cc2/attachment.diff>



More information about the ffmpeg-devel mailing list