commit 056c909d9df7704c8e5bbaab9fdab5e7bc969e0b
author Alex Converse <alex.converse@gmail.com> Thu Jan 26 17:21:46 2012 -0800
committer Reinhard Tartler <siretart@tauware.de> Sat Apr 21 15:38:10 2012 +0200
tree e972799a898ff087b39ea340f80425b0071791eb
parent bde4b660637c9f08eef51697c54417037a9eeb2f

nsvdec: Be more careful with av_malloc().

Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b50337db64d34a5726dfe3e8ea94f09)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c81c37d8a3de424de3db14078ae84333)

Conflicts:

	libavformat/nsvdec.c

libavformat/nsvdec.c

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index d592617..9e5f38d 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -317,7 +317,9 @@
         char *token, *value;
         char quote;
 
-        p = strings = av_mallocz(strings_size + 1);
+        p = strings = av_mallocz((size_t)strings_size + 1);
+        if (!p)
+            return AVERROR(ENOMEM);
         endp = strings + strings_size;
         get_buffer(pb, strings, strings_size);
         while (p < endp) {
@@ -351,6 +353,8 @@
         if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
             return -1;
         nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t));
+        if (!nsv->nsvf_index_data)
+            return AVERROR(ENOMEM);
 #warning "FIXME: Byteswap buffer as needed"
         get_buffer(pb, (unsigned char *)nsv->nsvf_index_data, table_entries * sizeof(uint32_t));
     }