[FFmpeg-devel] [HACK] Remove MAX_STREAMS usages
Aurelien Jacobs
aurel
Wed Aug 11 17:30:56 CEST 2010
On Tue, Aug 10, 2010 at 03:40:49PM +0200, Reimar D?ffinger wrote:
> On Tue, Aug 10, 2010 at 01:14:56AM +0200, Aurelien Jacobs wrote:
> > diff --git a/libavformat/utils.c b/libavformat/utils.c
> > index edd3d19..363f685 100644
> > --- a/libavformat/utils.c
> > +++ b/libavformat/utils.c
> > @@ -2516,13 +2516,20 @@ void av_close_input_file(AVFormatContext *s)
> >
> > AVStream *av_new_stream(AVFormatContext *s, int id)
> > {
> > - AVStream *st;
> > + AVStream **streams, *st;
> > int i;
> >
> > +#if LIBAVFORMAT_VERSION_MAJOR < 53
> > if (s->nb_streams >= MAX_STREAMS){
> > av_log(s, AV_LOG_ERROR, "Too many streams\n");
> > return NULL;
> > }
> > +#else
> > + streams = av_realloc(s->streams, (s->nb_streams + 1) * sizeof(*streams));
> > + if (!streams)
> > + return NULL;
> > + s->streams = streams;
> > +#endif
>
> You removed the integer overflow check, thus making it exploitable
> (at the very least to make it crash).
Indeed, I was a bit too fast about this.
Fixed version attached.
Aurel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: max_stream_api.diff
Type: text/x-diff
Size: 1445 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100811/a8785838/attachment.diff>
More information about the ffmpeg-devel
mailing list