[FFmpeg-devel] stsz overflow
Frank Barchard
fbarchard
Tue Aug 25 20:21:51 CEST 2009
On Tue, Aug 25, 2009 at 11:11 AM, Reimar D?ffinger <Reimar.Doeffinger at gmx.de
> wrote:
> Seems reasonable to me, except for the comment.
> A buffer overrun/overflow is only the secondary effect.
> The right comment should be something like "avoids integer
> overflow in multiplication with field_size".
> Particularly mentioning field_size may reduce the risk of forgetting
> to change this if ever e.g. field_size == 64 should become possible.
Agreed.
> Or
> if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
> field_size)
> as a compromise.
I think this still has a bug if field_size is 4, because later it is
multiplied by 8.
Simple patch with comment change. The earlier patch with int64 math is also
fully functional.
Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c (revision 19697)
+++ libavformat/mov.c (working copy)
@@ -1256,7 +1256,7 @@
return -1;
}
- if(entries >= UINT_MAX / sizeof(int))
+ if(entries >= UINT_MAX / 32) /* avoids integer overflow in
multiplication with field_size */
return -1;
sc->sample_sizes = av_malloc(entries * sizeof(int));
if (!sc->sample_sizes)
More information about the ffmpeg-devel
mailing list