From 6fbb21d6858b9d0152f89e1b30ffe683a9d33948 Mon Sep 17 00:00:00 2001
From: Nicolas George <nicolas.george@normalesup.org>
Date: Sat, 13 Apr 2013 11:27:52 +0200
Subject: [PATCH 1/4] lavfi/buffersink: factor checks for lists sizes.

---
 libavfilter/buffersink.c | 34 ++++++++++++----------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/libavfilter/buffersink.c b/libavfilter/buffersink.c
index 769be8352c..14ead2bb0c 100644
--- a/libavfilter/buffersink.c
+++ b/libavfilter/buffersink.c
@@ -384,6 +384,13 @@ static av_cold int vsink_init(AVFilterContext *ctx, void *opaque)
     return common_init(ctx);
 }
 
+#define CHECK_LIST_SIZE(field) \
+        if (buf->field ## _size % sizeof(*buf->field)) { \
+            av_log(ctx, AV_LOG_ERROR, "Invalid size for " #field ": %d, " \
+                   "should be multiple of %d\n", \
+                   buf->field ## _size, (int)sizeof(*buf->field)); \
+            return AVERROR(EINVAL); \
+        }
 static int vsink_query_formats(AVFilterContext *ctx)
 {
     BufferSinkContext *buf = ctx->priv;
@@ -391,11 +398,7 @@ static int vsink_query_formats(AVFilterContext *ctx)
     unsigned i;
     int ret;
 
-    if (buf->pixel_fmts_size % sizeof(*buf->pixel_fmts)) {
-        av_log(ctx, AV_LOG_ERROR, "Invalid size for format list\n");
-        return AVERROR(EINVAL);
-    }
-
+    CHECK_LIST_SIZE(pixel_fmts)
     if (buf->pixel_fmts_size) {
         for (i = 0; i < NB_ITEMS(buf->pixel_fmts); i++)
             if ((ret = ff_add_format(&formats, buf->pixel_fmts[i])) < 0)
@@ -433,23 +436,10 @@ static int asink_query_formats(AVFilterContext *ctx)
     unsigned i;
     int ret;
 
-    if (buf->sample_fmts_size     % sizeof(*buf->sample_fmts)     ||
-        buf->sample_rates_size    % sizeof(*buf->sample_rates)    ||
-        buf->channel_layouts_size % sizeof(*buf->channel_layouts) ||
-        buf->channel_counts_size  % sizeof(*buf->channel_counts)) {
-        av_log(ctx, AV_LOG_ERROR, "Invalid size for format lists\n");
-#define LOG_ERROR(field) \
-        if (buf->field ## _size % sizeof(*buf->field)) \
-            av_log(ctx, AV_LOG_ERROR, "  " #field " is %d, should be " \
-                   "multiple of %d\n", \
-                   buf->field ## _size, (int)sizeof(*buf->field));
-        LOG_ERROR(sample_fmts);
-        LOG_ERROR(sample_rates);
-        LOG_ERROR(channel_layouts);
-        LOG_ERROR(channel_counts);
-#undef LOG_ERROR
-        return AVERROR(EINVAL);
-    }
+    CHECK_LIST_SIZE(sample_fmts)
+    CHECK_LIST_SIZE(sample_rates)
+    CHECK_LIST_SIZE(channel_layouts)
+    CHECK_LIST_SIZE(channel_counts)
 
     if (buf->sample_fmts_size) {
         for (i = 0; i < NB_ITEMS(buf->sample_fmts); i++)

From 76c8060654f01aa270b9169b884902289a7ebf64 Mon Sep 17 00:00:00 2001
From: Nicolas George <nicolas.george@normalesup.org>
Date: Sat, 13 Apr 2013 11:37:16 +0200
Subject: [PATCH 2/4] lavu: add av_pure to av_int_list_length_for_size.

---
 libavutil/avutil.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/avutil.h b/libavutil/avutil.h
index d71eb1ef4c..fd9bdc88a7 100644
--- a/libavutil/avutil.h
+++ b/libavutil/avutil.h
@@ -261,7 +261,7 @@ static inline void *av_x_if_null(const void *p, const void *x)
  * @return  length of the list, in elements, not counting the terminator
  */
 unsigned av_int_list_length_for_size(unsigned elsize,
-                                     const void *list, uint64_t term);
+                                     const void *list, uint64_t term) av_pure;
 
 /**
  * Compute the length of an integer list.

From 2a1d7ea5f8ba71e1ed96c17414f8d106c006d87a Mon Sep 17 00:00:00 2001
From: Nicolas George <nicolas.george@normalesup.org>
Date: Sat, 13 Apr 2013 11:47:27 +0200
Subject: [PATCH 3/4] lavu: add parens to macro argument.

---
 libavutil/avutil.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/avutil.h b/libavutil/avutil.h
index fd9bdc88a7..6f307d6c5d 100644
--- a/libavutil/avutil.h
+++ b/libavutil/avutil.h
@@ -271,7 +271,7 @@ unsigned av_int_list_length_for_size(unsigned elsize,
  * @return  length of the list, in elements, not counting the terminator
  */
 #define av_int_list_length(list, term) \
-    av_int_list_length_for_size(sizeof(*list), list, term)
+    av_int_list_length_for_size(sizeof(*(list)), list, term)
 
 /**
  * @}

From 9e8e03de38b3deb6bee546a37e1a3ff05cf5f746 Mon Sep 17 00:00:00 2001
From: Nicolas George <nicolas.george@normalesup.org>
Date: Sat, 13 Apr 2013 11:46:56 +0200
Subject: [PATCH 4/4] lavu/opt: check int lists length for overflow.

Also add parens on macro arguments.
---
 libavutil/opt.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavutil/opt.h b/libavutil/opt.h
index e368259455..7f7b54e708 100644
--- a/libavutil/opt.h
+++ b/libavutil/opt.h
@@ -668,8 +668,10 @@ int av_opt_set_video_rate(void *obj, const char *name, AVRational val, int searc
  * @param flags  search flags
  */
 #define av_opt_set_int_list(obj, name, val, term, flags) \
-    av_opt_set_bin(obj, name, (const uint8_t *)val, \
-                   av_int_list_length(val, term) * sizeof(*val), flags)
+    (av_int_list_length(val, term) > INT_MAX / sizeof(*(val)) ? \
+     AVERROR(EINVAL) : \
+     av_opt_set_bin(obj, name, (const uint8_t *)(val), \
+                    av_int_list_length(val, term) * sizeof(*(val)), flags))
 /**
  * @}
  */