[FFmpeg-cvslog] r18088 - trunk/libavformat/mxfdec.c
Baptiste Coudurier
baptiste.coudurier
Sun Mar 22 11:22:52 CET 2009
On 3/22/2009 2:31 AM, Reimar D?ffinger wrote:
> On Sat, Mar 21, 2009 at 08:20:43PM -0700, Baptiste Coudurier wrote:
>> bcoudurier wrote:
>>> Author: bcoudurier
>>> Date: Sat Mar 21 01:50:51 2009
>>> New Revision: 18088
>>>
>>> Log:
>>> protect realloc overflow
>>>
>>> Modified:
>>> trunk/libavformat/mxfdec.c
>>>
>>> Modified: trunk/libavformat/mxfdec.c
>>> ==============================================================================
>>> --- trunk/libavformat/mxfdec.c Sat Mar 21 01:50:19 2009 (r18087)
>>> +++ trunk/libavformat/mxfdec.c Sat Mar 21 01:50:51 2009 (r18088)
>>> @@ -364,6 +364,8 @@ static int mxf_read_primer_pack(MXFConte
>>>
>>> static int mxf_add_metadata_set(MXFContext *mxf, void *metadata_set)
>>> {
>>> + if (mxf->metadata_sets_count+1 >= UINT_MAX / sizeof(*mxf->metadata_sets))
>>> + return AVERROR(ENOMEM);
>>> mxf->metadata_sets = av_realloc(mxf->metadata_sets, (mxf->metadata_sets_count + 1) * sizeof(*mxf->metadata_sets));
>>> if (!mxf->metadata_sets)
>>> return -1;
>> Just to be sure, is the test sufficient and the best ?
>
> Depends is metadata_sets_count int or unsigned?
int
> The +1 can most likely overflow, simple rule: a working overflow check
> will almost always have the check variable standing alone on one side.
> Writing the equation the naive way and moving everything else to the other
> side often works, you just have to make sure rounding happens the right
> way around.
the +1 yes, however the check is >=, so it should be safe no ? It would
just fail one before the max, if I'm not mistaken.
What would be the best situation ? unsigned and > ? (unsigned) cast + 1
and >= ?
--
Baptiste COUDURIER GnuPG Key Id: 0x5C1ABAAA
Key fingerprint 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
checking for life_signs in -lkenny... no
FFmpeg maintainer http://www.ffmpeg.org
More information about the ffmpeg-cvslog
mailing list