[FFmpeg-devel] [PATCH] Fix to crash in ff_rtsp_read_reply
Benoit Fouet
benoit.fouet at free.fr
Wed Oct 15 19:59:24 CEST 2014
Hi,
Le 15/10/2014 19:42, Reimar Döffinger a écrit :
> On Tue, Oct 14, 2014 at 04:30:39PM -0400, Michael Lynch wrote:
>> This patch fixes a crash in ff_rtsp_read_reply that can occur when the
>> Content Length field of the RTSP reply message is very high (e.g. near
>> INT_MAX) and causes av_malloc to return NULL.
>>
>> Thanks,
>> Michael
>>
>> commit 1e085fa751168813912f13f89b754e5711b13daa
>> Author: Michael Lynch <mtlynch at google.com>
>> Date: Tue Oct 14 14:19:40 2014 -0400
>>
>> Fixing crash in ff_rtsp_read_reply caused by failure to check the
>> result of memory allocation.
>>
>> diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
>> index 523a7c0..77f03ba 100644
>> --- a/libavformat/rtsp.c
>> +++ b/libavformat/rtsp.c
>> @@ -1150,6 +1150,8 @@ start:
>> if (content_length > 0) {
>> /* leave some room for a trailing '\0' (useful for simple parsing)
>> */
>> content = av_malloc(content_length + 1);
>> + if (!content)
>> + return AVERROR(ENOMEM);
>> ffurl_read_complete(rt->rtsp_hd, content, content_length);
>> content[content_length] = '\0';
>> }
> LGTM. It currently is the only allocation so a direct return should not
> leak anything.
I'd change the commit message to something less confusing, though.
"avformat/rtsp: check memory allocation" or something like this.
--
Ben
More information about the ffmpeg-devel
mailing list