virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-21 10:55:51 +02:00
Code Issues Releases Activity

tiff: Check buffer allocation and pointer increment more carefully in shorts2str() and double2str()

Browse Source 
Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-02-12 23:40:24 +01:00
parent 6f9ae391de
commit e1219cdaf9
1 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libavcodec/tiff.c
View File

@ -218,10 +218,12 @@ static char *doubles2str(double *dp, int count, const char *sep)
{
int i;
char *ap, *ap0;
int component_len;
uint64_t component_len;
if (!sep) sep = ", ";
component_len = 15 + strlen(sep);
ap = av_malloc(component_len * count);
component_len = 15LL + strlen(sep);
if (count >= (INT_MAX - 1)/component_len)
return NULL;
ap = av_malloc(component_len * count + 1);
if (!ap)
return NULL;
ap0 = ap;
@ -242,14 +244,22 @@ static char *shorts2str(int16_t *sp, int count, const char *sep)
{
int i;
char *ap, *ap0;
uint64_t component_len;
if (!sep) sep = ", ";
ap = av_malloc((5 + strlen(sep)) * count);
component_len = 7LL + strlen(sep);
if (count >= (INT_MAX - 1)/component_len)
return NULL;
ap = av_malloc(component_len * count + 1);
if (!ap)
return NULL;
ap0 = ap;
ap[0] = '\0';
for (i = 0; i < count; i++) {
int l = snprintf(ap, 5 + strlen(sep), "%d%s", sp[i], sep);
unsigned l = snprintf(ap, component_len, "%d%s", sp[i], sep);
if (l >= component_len) {
av_free(ap0);
return NULL;
}
ap += l;
}
ap0[strlen(ap0) - strlen(sep)] = '\0';