There is a theoretical possibility to pass a very long string to ff_parse,
which could crash if allocated from the stack. This allows the allocation
to be checked properly.
Originally committed as revision 19670 to svn://svn.ffmpeg.org/ffmpeg/trunk
double (**func2)(void *, double, double), const char **func2_name,
const char **error){
Parser p;
- AVEvalExpr * e;
- char w[strlen(s) + 1], * wp = w;
+ AVEvalExpr *e = NULL;
+ char *w = av_malloc(strlen(s) + 1);
+ char *wp = w;
+
+ if (!w)
+ goto end;
while (*s)
if (!isspace(*s++)) *wp++ = s[-1];
e = parse_expr(&p);
if (!verify_expr(e)) {
ff_eval_free(e);
- return NULL;
+ e = NULL;
}
+end:
+ av_free(w);
return e;
}