[FFmpeg-devel] [PATCH 3/6] eval: replace variable-length array with av_malloc/free
Mans Rullgard
mans
Wed Aug 19 03:22:59 CEST 2009
There is a theoretical possibility to pass a very long string to ff_parse,
which could crash if allocated from the stack. This allows the allocation
to be checked properly.
---
libavcodec/eval.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/libavcodec/eval.c b/libavcodec/eval.c
index 95e9310..1d52ba5 100644
--- a/libavcodec/eval.c
+++ b/libavcodec/eval.c
@@ -369,8 +369,12 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name,
double (**func2)(void *, double, double), const char **func2_name,
const char **error){
Parser p;
- AVEvalExpr * e;
- char w[strlen(s) + 1], * wp = w;
+ AVEvalExpr *e = NULL;
+ char *w = av_malloc(strlen(s) + 1);
+ char *wp = w;
+
+ if (!w)
+ goto end;
while (*s)
if (!isspace(*s++)) *wp++ = s[-1];
@@ -388,8 +392,10 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name,
e = parse_expr(&p);
if (!verify_expr(e)) {
ff_eval_free(e);
- return NULL;
+ e = NULL;
}
+end:
+ av_free(w);
return e;
}
--
1.6.4
More information about the ffmpeg-devel
mailing list