[FFmpeg-devel] [PATCH] lavu/mem: fix potential int overflow and crash in av_dynarray_add()
Michael Niedermayer
michaelni at gmx.at
Fri Apr 26 02:58:05 CEST 2013
On Thu, Apr 25, 2013 at 12:36:21AM +0200, Stefano Sabatini wrote:
> Also extend documentation accordingly.
> ---
> libavutil/mem.c | 5 ++++-
> libavutil/mem.h | 3 ++-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/libavutil/mem.c b/libavutil/mem.c
> index 687ec55..b3534b3 100644
> --- a/libavutil/mem.c
> +++ b/libavutil/mem.c
> @@ -241,8 +241,11 @@ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem)
> if (nb == 0)
> nb_alloc = 1;
> else
> - nb_alloc = nb * 2;
> + nb_alloc = nb <= INT_MAX / (2 * sizeof(intptr_t)) ? nb * 2 :
> + INT_MAX / sizeof(intptr_t);
this doesnt look sufficient, i mean the array would be to small ...
> tab = av_realloc(tab, nb_alloc * sizeof(intptr_t));
> + if (!tab)
> + return;
> *(intptr_t**)tab_ptr = tab;
> }
> tab[nb++] = (intptr_t)elem;
> diff --git a/libavutil/mem.h b/libavutil/mem.h
> index 8ae0939..72610ef 100644
> --- a/libavutil/mem.h
> +++ b/libavutil/mem.h
> @@ -197,7 +197,8 @@ void av_freep(void *ptr);
> *
> * In case of success, the pointer to the array is updated in order to
> * contain the new growed array, and the number pointed to by nb_ptr
> - * is incremented.
> + * is incremented. In case of failure, the array is not modified and
> + * *nb_ptr is not updated.
how could a user detect an error, also existing code that does not
check couls misbehave in a worse way than before
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20130426/140b389b/attachment.asc>
More information about the ffmpeg-devel
mailing list