[FFmpeg-cvslog] r19670 - trunk/libavcodec/eval.c

mru subversion
Wed Aug 19 23:59:41 CEST 2009


Author: mru
Date: Wed Aug 19 23:59:40 2009
New Revision: 19670

Log:
eval: replace variable-length array with av_malloc/free

There is a theoretical possibility to pass a very long string to ff_parse,
which could crash if allocated from the stack.  This allows the allocation
to be checked properly.

Modified:
   trunk/libavcodec/eval.c

Modified: trunk/libavcodec/eval.c
==============================================================================
--- trunk/libavcodec/eval.c	Wed Aug 19 23:59:36 2009	(r19669)
+++ trunk/libavcodec/eval.c	Wed Aug 19 23:59:40 2009	(r19670)
@@ -369,8 +369,12 @@ AVEvalExpr * ff_parse(const char *s, con
                double (**func2)(void *, double, double), const char **func2_name,
                const char **error){
     Parser p;
-    AVEvalExpr * e;
-    char w[strlen(s) + 1], * wp = w;
+    AVEvalExpr *e = NULL;
+    char *w = av_malloc(strlen(s) + 1);
+    char *wp = w;
+
+    if (!w)
+        goto end;
 
     while (*s)
         if (!isspace(*s++)) *wp++ = s[-1];
@@ -388,8 +392,10 @@ AVEvalExpr * ff_parse(const char *s, con
     e = parse_expr(&p);
     if (!verify_expr(e)) {
         ff_eval_free(e);
-        return NULL;
+        e = NULL;
     }
+end:
+    av_free(w);
     return e;
 }
 



More information about the ffmpeg-cvslog mailing list