Message ID | 20191226003338.356-1-lance.lmwang@gmail.com |
---|---|
State | New |
Headers | show |
ping On Thu, Dec 26, 2019 at 08:33:38AM +0800, lance.lmwang@gmail.com wrote: > From: Limin Wang <lance.lmwang@gmail.com> > > Signed-off-by: Limin Wang <lance.lmwang@gmail.com> > --- > libavutil/frame.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/libavutil/frame.c b/libavutil/frame.c > index e403809..2e763ef 100644 > --- a/libavutil/frame.c > +++ b/libavutil/frame.c > @@ -696,11 +696,8 @@ AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame *frame, > if (!buf) > return NULL; > > - if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1) > - return NULL; > - > - tmp = av_realloc(frame->side_data, > - (frame->nb_side_data + 1) * sizeof(*frame->side_data)); > + tmp = av_realloc_array(frame->side_data, > + frame->nb_side_data + 1, sizeof(*frame->side_data)); > if (!tmp) > return NULL; > frame->side_data = tmp; > -- > 2.9.5 >
ping. On Thu, Dec 26, 2019 at 08:33:38AM +0800, lance.lmwang@gmail.com wrote: > From: Limin Wang <lance.lmwang@gmail.com> > > Signed-off-by: Limin Wang <lance.lmwang@gmail.com> > --- > libavutil/frame.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/libavutil/frame.c b/libavutil/frame.c > index e403809..2e763ef 100644 > --- a/libavutil/frame.c > +++ b/libavutil/frame.c > @@ -696,11 +696,8 @@ AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame *frame, > if (!buf) > return NULL; > > - if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1) > - return NULL; > - > - tmp = av_realloc(frame->side_data, > - (frame->nb_side_data + 1) * sizeof(*frame->side_data)); > + tmp = av_realloc_array(frame->side_data, > + frame->nb_side_data + 1, sizeof(*frame->side_data)); > if (!tmp) > return NULL; > frame->side_data = tmp; > -- > 2.9.5 >
On Thu, Dec 26, 2019 at 08:33:38AM +0800, lance.lmwang@gmail.com wrote: > From: Limin Wang <lance.lmwang@gmail.com> > > Signed-off-by: Limin Wang <lance.lmwang@gmail.com> > --- > libavutil/frame.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/libavutil/frame.c b/libavutil/frame.c > index e403809..2e763ef 100644 > --- a/libavutil/frame.c > +++ b/libavutil/frame.c > @@ -696,11 +696,8 @@ AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame *frame, > if (!buf) > return NULL; > > - if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1) > - return NULL; > - > - tmp = av_realloc(frame->side_data, > - (frame->nb_side_data + 1) * sizeof(*frame->side_data)); > + tmp = av_realloc_array(frame->side_data, > + frame->nb_side_data + 1, sizeof(*frame->side_data)); this depends on undocumented behavior of av_realloc_array() checking against INT_MAX, also theres a patch to increase this undocumented limit on the ML. This and that other patch would result in inadequate checking and potential overflow Thanks [...]
diff --git a/libavutil/frame.c b/libavutil/frame.c index e403809..2e763ef 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -696,11 +696,8 @@ AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame *frame, if (!buf) return NULL; - if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1) - return NULL; - - tmp = av_realloc(frame->side_data, - (frame->nb_side_data + 1) * sizeof(*frame->side_data)); + tmp = av_realloc_array(frame->side_data, + frame->nb_side_data + 1, sizeof(*frame->side_data)); if (!tmp) return NULL; frame->side_data = tmp;