On Wed, Oct 15, 2014 at 07:59:24PM +0200, Benoit Fouet wrote:
> Hi,
>
> Le 15/10/2014 19:42, Reimar Döffinger a écrit :
> > On Tue, Oct 14, 2014 at 04:30:39PM -0400, Michael Lynch wrote:
> >> This patch fixes a crash in ff_rtsp_read_reply that can occur when the
> >> Content Length field of the RTSP reply message is very high (e.g. near
> >> INT_MAX) and causes av_malloc to return NULL.
> >>
> >> Thanks,
> >> Michael
> >>
> >> commit 1e085fa751168813912f13f89b754e5711b13daa
> >> Author: Michael Lynch <mtly...@google.com>
> >> Date: Tue Oct 14 14:19:40 2014 -0400
> >>
> >> Fixing crash in ff_rtsp_read_reply caused by failure to check the
> >> result of memory allocation.
> >>
> >> diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
> >> index 523a7c0..77f03ba 100644
> >> --- a/libavformat/rtsp.c
> >> +++ b/libavformat/rtsp.c
> >> @@ -1150,6 +1150,8 @@ start:
> >> if (content_length > 0) {
> >> /* leave some room for a trailing '\0' (useful for simple parsing)
> >> */
> >> content = av_malloc(content_length + 1);
> >> + if (!content)
> >> + return AVERROR(ENOMEM);
> >> ffurl_read_complete(rt->rtsp_hd, content, content_length);
> >> content[content_length] = '\0';
> >> }
> > LGTM. It currently is the only allocation so a direct return should not
> > leak anything.
>
> I'd change the commit message to something less confusing, though.
> "avformat/rtsp: check memory allocation" or something like this.applied thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If a bugfix only changes things apparently unrelated to the bug with no further explanation, that is a good sign that the bugfix is wrong.
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
