Validate zmq_msg_size to prevent an integer overflow when calculating
recv_buf_size (sz + 1). This ensures safe memory allocation on 32-bit
architectures.
---
tools/zmqsend.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/zmqsend.c b/tools/zmqsend.c
index dc5d426cc8..c0d5a1484d 100644
--- a/tools/zmqsend.c
+++ b/tools/zmqsend.c
@@ -59,6 +59,7 @@ int main(int argc, char **argv)
int c;
int recv_buf_size, ret = 0;
void *zmq_ctx, *socket;
+ size_t sz;
const char *bind_address = "tcp://localhost:5555";
const char *infilename = NULL;
FILE *infile = NULL;
@@ -149,7 +150,13 @@ int main(int argc, char **argv)
goto end;
}
- recv_buf_size = zmq_msg_size(&msg) + 1;
+ sz = zmq_msg_size(&msg);
+ if (sz == SIZE_MAX) {
+ av_log(NULL, AV_LOG_ERROR, "Message too large (overflow detected)\n");
+ ret = 1;
+ goto end;
+ }
+ recv_buf_size = sz + 1;
recv_buf = av_malloc(recv_buf_size);
if (!recv_buf) {
av_log(NULL, AV_LOG_ERROR,
--
2.52.0.windows.1
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
