Validate zmq_msg_size to prevent an integer overflow when calculating recv_buf_size (sz + 1). This ensures safe memory allocation on 32-bit architectures.
Signed-off-by: 0xBat <[email protected]> --- tools/zmqsend.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/zmqsend.c b/tools/zmqsend.c index dc5d426cc8..6e80fdab8c 100644 --- a/tools/zmqsend.c +++ b/tools/zmqsend.c @@ -149,7 +149,13 @@ int main(int argc, char **argv) goto end; } - recv_buf_size = zmq_msg_size(&msg) + 1; + size_t sz = zmq_msg_size(&msg); + if (sz == SIZE_MAX) { + av_log(NULL, AV_LOG_ERROR, "Message too large (overflow detected)\n"); + ret = 1; + goto end; + } + recv_buf_size = sz + 1; recv_buf = av_malloc(recv_buf_size); if (!recv_buf) { av_log(NULL, AV_LOG_ERROR, -- 2.52.0.windows.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
