Mercurial > libavformat.hg
diff utils.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
author | michael |
---|---|
date | Sat, 08 Jan 2005 14:21:33 +0000 |
parents | aff6e233426a |
children | 253b5292946a |
line wrap: on
line diff
--- a/utils.c Thu Jan 06 00:54:03 2005 +0000 +++ b/utils.c Sat Jan 08 14:21:33 2005 +0000 @@ -180,7 +180,10 @@ */ int av_new_packet(AVPacket *pkt, int size) { - void *data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); + void *data; + if((unsigned)size > (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_NOMEM; + data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); if (!data) return AVERROR_NOMEM; memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE); @@ -200,6 +203,8 @@ uint8_t *data; /* we duplicate the packet and don't forget to put the padding again */ + if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_NOMEM; data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE); if (!data) { return AVERROR_NOMEM; @@ -277,8 +282,8 @@ return 0; } -void fifo_realloc(FifoBuffer *f, int new_size){ - int old_size= f->end - f->buffer; +void fifo_realloc(FifoBuffer *f, unsigned int new_size){ + unsigned int old_size= f->end - f->buffer; if(old_size < new_size){ uint8_t *old= f->buffer; @@ -1007,10 +1012,16 @@ AVIndexEntry *entries, *ie; int index; + if((unsigned)st->nb_index_entries + 1 >= UINT_MAX / sizeof(AVIndexEntry)) + return -1; + entries = av_fast_realloc(st->index_entries, &st->index_entries_allocated_size, (st->nb_index_entries + 1) * sizeof(AVIndexEntry)); + if(!entries) + return -1; + st->index_entries= entries; index= av_index_search_timestamp(st, timestamp, 0);