From 0314dead4e7c058568e792842405190c06d71da5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5ns=20Rullg=C3=A5rd?= Date: Wed, 19 Aug 2009 21:59:40 +0000 Subject: [PATCH] eval: replace variable-length array with av_malloc/free There is a theoretical possibility to pass a very long string to ff_parse, which could crash if allocated from the stack. This allows the allocation to be checked properly. Originally committed as revision 19670 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/eval.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/eval.c b/libavcodec/eval.c index 95e93107f8..1d52ba582b 100644 --- a/libavcodec/eval.c +++ b/libavcodec/eval.c @@ -369,8 +369,12 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name, double (**func2)(void *, double, double), const char **func2_name, const char **error){ Parser p; - AVEvalExpr * e; - char w[strlen(s) + 1], * wp = w; + AVEvalExpr *e = NULL; + char *w = av_malloc(strlen(s) + 1); + char *wp = w; + + if (!w) + goto end; while (*s) if (!isspace(*s++)) *wp++ = s[-1]; @@ -388,8 +392,10 @@ AVEvalExpr * ff_parse(const char *s, const char * const *const_name, e = parse_expr(&p); if (!verify_expr(e)) { ff_eval_free(e); - return NULL; + e = NULL; } +end: + av_free(w); return e; }