[FFmpeg-cvslog] r18138 - trunk/libavformat/mov.c
Måns Rullgård
mans
Sun Mar 22 14:41:49 CET 2009
Baptiste Coudurier <baptiste.coudurier at gmail.com> writes:
> bcoudurier wrote:
>> Author: bcoudurier
>> Date: Sun Mar 22 03:47:35 2009
>> New Revision: 18138
>>
>> Log:
>> since code now use get_bits_long, allocate padding buffer
>>
>> Modified:
>> trunk/libavformat/mov.c
>>
>> Modified: trunk/libavformat/mov.c
>> ==============================================================================
>> --- trunk/libavformat/mov.c Sun Mar 22 03:04:28 2009 (r18137)
>> +++ trunk/libavformat/mov.c Sun Mar 22 03:47:35 2009 (r18138)
>> @@ -1166,7 +1166,7 @@ static int mov_read_stsz(MOVContext *c,
>>
>> num_bytes = (entries*field_size+4)>>3;
>>
>> - buf = av_malloc(num_bytes);
>> + buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);
>> if (!buf) {
>> av_freep(&sc->sample_sizes);
>> return AVERROR(ENOMEM);
>
> Humm, I believe this need a malloc overflow check, right ?
num_bytes+FF_INPUT_BUFFER_PADDING_SIZE can't overflow since num_bytes
is something >> 3 and FF_INPUT_BUFFER_PADDING_SIZE is fairly small.
Depending on where "entries" comes from, there could be a potential
overflow in the calculation of num_bytes, but that was already there.
--
M?ns Rullg?rd
mans at mansr.com
More information about the ffmpeg-cvslog
mailing list