[FFmpeg-devel] [PATCH] urlconcat protocol

Michael Niedermayer michaelni
Sun Jan 31 02:03:46 CET 2010


On Sat, Jan 30, 2010 at 11:35:56PM +0100, Michele Orr? wrote:
[...]
> +static int urlconcat_open(URLContext *h, const char *uri, int flags)
> +{
> +    char *upath = NULL;
> +    int err = 0;
> +    int64_t size;
> +    size_t  len, i;
> +    URLContext *uc;
> +    struct urlconcat_data *udata;
> +    struct urlconcat_nodes *unodes;
> +
> +    av_strstart(uri, "cat:", &uri);
> +
> +    /* creating udata */
> +    if (!(udata = av_mallocz(sizeof(*udata))))
> +        return AVERROR(ENOMEM);
> +    h->priv_data = udata;
> +    /* creating udata->urls */
> +    for (i=0, len = 1; uri[i]; i++)  /* cat:[url]|[url] -> urls = sep+1 */
> +        if (uri[i] == *AV_CAT_SEPARATOR) len++;
> +    if (!(unodes = av_malloc(sizeof(*unodes) * len))) {

integer overflow that could lead to a too small buffer to be allocated


> +        av_free(udata);
> +        h->priv_data = NULL;
> +        return AVERROR(ENOMEM);
> +    } else
> +        udata->urls = unodes;
> +
> +    /* handle input */
> +    if (!*uri) err = AVERROR(ENOENT);
> +    for (i = 0; *uri; i++) {
> +        /* parsing uri */
> +        len = strcspn(uri, AV_CAT_SEPARATOR);

> +        upath = av_realloc(upath, len);
> +        if (!upath) {
> +            err = AVERROR(ENOMEM);
> +            break;
> +        }

memleak, av_realloc() does not free its input buffer if it returns NULL


> +        av_strlcpy(upath, uri, len+1);

+1 ?


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100131/05d47e26/attachment.pgp>



More information about the ffmpeg-devel mailing list