[Ffmpeg-devel] [PATCH] from DivX, Part 1: cosmectic changes
Steve Lhomme
steve.lhomme
Sat Dec 17 03:07:41 CET 2005
Michael Niedermayer wrote:
> Hi
>
> On Fri, Dec 16, 2005 at 03:20:38PM -1000, Steve Lhomme wrote:
>
>>>>The type of a sizeof() expression is size_t, which is unsigned. Hence
>>>>sizeof(foo) + x < x is impossible, unless the addition overflows.
>>>
>>>
>>>yes, maybe looking at the next line clarifies the meaning behind this
>>>d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
>>>if it overflows, you will have a too small buffer ...
>>
>>The question is : will it overflow on a 32 bits system ?
>>There are other example of such tests that I replaced with asserts.
>
>
> well as io_buffer_size is practically a parameter to this function its a
> question of how this function is used, and as the overflow would cause a
> buffer overflow on the heap which might be exploitable i really dont think
> you want this to be missing in non debug builds
You mean your OS will give you a buffer sized 0xFFFFFF0 ? I think on
windows to allocate that much space you need a special call. Otherwise
it will be NULL.
I tried 0x7FFFFFF0 in MSVC and it returns NULL.
0xFFFFFFF0 asserts (and returns NULL in Release mode).
More information about the ffmpeg-devel
mailing list