diff mbox

[FFmpeg-devel] avformat/utils: check for overflow before reallocating side data

Message ID 20161119180915.7056-1-jamrial@gmail.com
State Accepted
Commit 0ffea3565700c9b3093ead285f729bb319a2163e
Headers show

Commit Message

James Almer Nov. 19, 2016, 6:09 p.m. UTC 
This makes av_stream_add_side_data() consistent with av_packet_add_side_data().

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/utils.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer Nov. 19, 2016, 10:19 p.m. UTC | #1 
On Sat, Nov 19, 2016 at 03:09:15PM -0300, James Almer wrote:
> This makes av_stream_add_side_data() consistent with av_packet_add_side_data().
> 
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
>  libavformat/utils.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

LGTM

thx

[...]
James Almer Nov. 19, 2016, 11:28 p.m. UTC | #2 
On 11/19/2016 7:19 PM, Michael Niedermayer wrote:
> On Sat, Nov 19, 2016 at 03:09:15PM -0300, James Almer wrote:
>> This makes av_stream_add_side_data() consistent with av_packet_add_side_data().
>>
>> Signed-off-by: James Almer <jamrial@gmail.com>
>> ---
>>  libavformat/utils.c | 5 ++++-
>>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> LGTM
> 
> thx

Pushed, Thanks.
Neil Birkbeck Nov. 22, 2016, 12:37 a.m. UTC | #3 
On Sat, Nov 19, 2016 at 3:28 PM, James Almer <jamrial@gmail.com> wrote:

> On 11/19/2016 7:19 PM, Michael Niedermayer wrote:
> > On Sat, Nov 19, 2016 at 03:09:15PM -0300, James Almer wrote:
> >> This makes av_stream_add_side_data() consistent with
> av_packet_add_side_data().
> >>
> >> Signed-off-by: James Almer <jamrial@gmail.com>
> >> ---
> >>  libavformat/utils.c | 5 ++++-
> >>  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > LGTM
> >
> > thx
>
> Pushed, Thanks.


Isn't the realloc missing brackets around the num elements:
   tmp = av_realloc(st->side_data, (st->nb_side_data + 1) * sizeof(*tmp));
James Almer Nov. 22, 2016, 2:06 a.m. UTC | #4 
On 11/21/2016 9:37 PM, Neil Birkbeck wrote:
> On Sat, Nov 19, 2016 at 3:28 PM, James Almer <jamrial@gmail.com> wrote:
> 
>> On 11/19/2016 7:19 PM, Michael Niedermayer wrote:
>>> On Sat, Nov 19, 2016 at 03:09:15PM -0300, James Almer wrote:
>>>> This makes av_stream_add_side_data() consistent with
>> av_packet_add_side_data().
>>>>
>>>> Signed-off-by: James Almer <jamrial@gmail.com>
>>>> ---
>>>>  libavformat/utils.c | 5 ++++-
>>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> LGTM
>>>
>>> thx
>>
>> Pushed, Thanks.
> 
> 
> Isn't the realloc missing brackets around the num elements:
>    tmp = av_realloc(st->side_data, (st->nb_side_data + 1) * sizeof(*tmp));

Yikes, yes, thanks a lot for noticing. Pushed that fix.
diff mbox

Patch

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 19bb8bd..9d01bab 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -5121,7 +5121,10 @@  int av_stream_add_side_data(AVStream *st, enum AVPacketSideDataType type,
         }
     }
 
-    tmp = av_realloc_array(st->side_data, st->nb_side_data + 1, sizeof(*tmp));
+    if ((unsigned)st->nb_side_data + 1 >= INT_MAX / sizeof(*st->side_data))
+        return AVERROR(ERANGE);
+
+    tmp = av_realloc(st->side_data, st->nb_side_data + 1 * sizeof(*tmp));
     if (!tmp) {
         return AVERROR(ENOMEM);
     }