On Thu, Dec 26, 2019 at 08:33:38AM +0800, lance.lmw...@gmail.com wrote: > From: Limin Wang <lance.lmw...@gmail.com> > > Signed-off-by: Limin Wang <lance.lmw...@gmail.com> > --- > libavutil/frame.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/libavutil/frame.c b/libavutil/frame.c > index e403809..2e763ef 100644 > --- a/libavutil/frame.c > +++ b/libavutil/frame.c > @@ -696,11 +696,8 @@ AVFrameSideData *av_frame_new_side_data_from_buf(AVFrame > *frame, > if (!buf) > return NULL; > > - if (frame->nb_side_data > INT_MAX / sizeof(*frame->side_data) - 1) > - return NULL; > - > - tmp = av_realloc(frame->side_data, > - (frame->nb_side_data + 1) * sizeof(*frame->side_data)); > + tmp = av_realloc_array(frame->side_data, > + frame->nb_side_data + 1, sizeof(*frame->side_data));
this depends on undocumented behavior of av_realloc_array() checking against INT_MAX, also theres a patch to increase this undocumented limit on the ML. This and that other patch would result in inadequate checking and potential overflow Thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The real ebay dictionary, page 2 "100% positive feedback" - "All either got their money back or didnt complain" "Best seller ever, very honest" - "Seller refunded buyer after failed scam"
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
