Module: libav Branch: release/0.5 Commit: 056c909d9df7704c8e5bbaab9fdab5e7bc969e0b
Author: Alex Converse <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Thu Jan 26 17:21:46 2012 -0800 nsvdec: Be more careful with av_malloc(). Check results for av_malloc() and fix an overflow in one call. Related to CVE-2011-3940. Based in part on work from Michael Niedermayer. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a) Signed-off-by: Reinhard Tartler <[email protected]> (cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09) Signed-off-by: Reinhard Tartler <[email protected]> (cherry picked from commit 87007519c81c37d8a3de424de3db14078ae84333) Conflicts: libavformat/nsvdec.c --- libavformat/nsvdec.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index d592617..9e5f38d 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -317,7 +317,9 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) char *token, *value; char quote; - p = strings = av_mallocz(strings_size + 1); + p = strings = av_mallocz((size_t)strings_size + 1); + if (!p) + return AVERROR(ENOMEM); endp = strings + strings_size; get_buffer(pb, strings, strings_size); while (p < endp) { @@ -351,6 +353,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap) if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t)) return -1; nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t)); + if (!nsv->nsvf_index_data) + return AVERROR(ENOMEM); #warning "FIXME: Byteswap buffer as needed" get_buffer(pb, (unsigned char *)nsv->nsvf_index_data, table_entries * sizeof(uint32_t)); } _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
