[MPlayer-dev-eng] [PATCH] unchecked result of ICDecompressGetFormatSize leads to crash
Gianluigi Tiesi
mplayer at netfarm.it
Wed Oct 17 07:03:18 CEST 2007
Currently the vfw code calls ICDecompressGetFormatSize
(a macro to SendMessage)
it should return the size of the struct, but
while using vp6vfw.dll and/or maybe other dlls,
the returned value is -2
then mplayer does malloc(-2)
and memset(,,-2)
then crashes
I've not added free(priv) since also the other check does not
free it
Regards
--
Gianluigi Tiesi <sherpya at netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/
-------------- next part --------------
Index: libmpcodecs/vd_vfw.c
===================================================================
--- libmpcodecs/vd_vfw.c (revision 24796)
+++ libmpcodecs/vd_vfw.c (working copy)
@@ -171,6 +171,11 @@
// sh->bih->biBitCount=32;
o_bih_len = ICDecompressGetFormatSize(priv->handle, sh->bih);
+
+ if(o_bih_len <= 0){
+ mp_msg(MSGT_WIN32,MSGL_ERR,"ICDecompressGetFormatSize returned a bogus value: %d\n", o_bih_len);
+ return 0;
+ }
priv->o_bih = malloc(o_bih_len);
memset(priv->o_bih, 0, o_bih_len);
More information about the MPlayer-dev-eng
mailing list