[Ffmpeg-devel] [PATCH] from DivX, Part 1: cosmectic changes

Steve Lhomme steve.lhomme
Sat Dec 17 03:07:41 CET 2005

Michael Niedermayer wrote:
> Hi
> On Fri, Dec 16, 2005 at 03:20:38PM -1000, Steve Lhomme wrote:
>>>>The type of a sizeof() expression is size_t, which is unsigned.  Hence
>>>>sizeof(foo) + x < x is impossible, unless the addition overflows.
>>>yes, maybe looking at the next line clarifies the meaning behind this
>>>d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
>>>if it overflows, you will have a too small buffer ...
>>The question is : will it overflow on a 32 bits system ?
>>There are other example of such tests that I replaced with asserts.
> well as io_buffer_size is practically a parameter to this function its a
> question of how this function is used, and as the overflow would cause a
> buffer overflow on the heap which might be exploitable i really dont think
> you want this to be missing in non debug builds

You mean your OS will give you a buffer sized 0xFFFFFF0 ? I think on 
windows to allocate that much space you need a special call. Otherwise 
it will be NULL.

I tried 0x7FFFFFF0 in MSVC and it returns NULL.
0xFFFFFFF0 asserts (and returns NULL in Release mode).

More information about the ffmpeg-devel mailing list