On Tue, Oct 14, 2014 at 04:30:39PM -0400, Michael Lynch wrote:
> This patch fixes a crash in ff_rtsp_read_reply that can occur when the
> Content Length field of the RTSP reply message is very high (e.g. near
> INT_MAX) and causes av_malloc to return NULL.
>
> Thanks,
> Michael
>
> commit 1e085fa751168813912f13f89b754e5711b13daa
> Author: Michael Lynch <mtly...@google.com>
> Date: Tue Oct 14 14:19:40 2014 -0400
>
> Fixing crash in ff_rtsp_read_reply caused by failure to check the
> result of memory allocation.
>
> diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
> index 523a7c0..77f03ba 100644
> --- a/libavformat/rtsp.c
> +++ b/libavformat/rtsp.c
> @@ -1150,6 +1150,8 @@ start:
> if (content_length > 0) {
> /* leave some room for a trailing '\0' (useful for simple parsing)
> */
> content = av_malloc(content_length + 1);
> + if (!content)
> + return AVERROR(ENOMEM);
> ffurl_read_complete(rt->rtsp_hd, content, content_length);
> content[content_length] = '\0';
> }
LGTM. It currently is the only allocation so a direct return should not
leak anything.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
