[FFmpeg-devel] [PATCH] fix for bfi buffer overread (roundup issue 2497)
Daniel Kang
daniel.d.kang
Thu Jan 6 23:54:52 CET 2011
On Thu, Jan 6, 2011 at 5:49 PM, Michael Niedermayer <michaelni at gmx.at>wrote:
> > case 0: //Normal Chain
> > + if (buf + length >= buf_end) {
>
> This has a very small chance that buf + length overflows, that is if buf is
> close to 0xFFFFFFFF on a 32bit system or 0xFFFFFFFFFFFFFFFF on 64bit then
> buf + length can be smaller than buf and thus also smaller than buf_end
>
> This is unlikely in practice but its easy to avoid this problem by using
>
> if(length >= buf_end - buf)
>
> as a rule of thumb, the variable to be checked for validity should be
> alone on one side of the </>/<=/>= to avoid this kind of problem
>
> The same issue exists with code like
> if(something * sizeof(some struct) > foo)
> vs.
> if(something > foo / sizeof(some struct))
Thank you for the tip, I had not thought of that.
I have updated the patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bfi_buffer_sanity_check.diff
Type: application/octet-stream
Size: 1761 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110106/fb4cf74d/attachment.obj>
More information about the ffmpeg-devel
mailing list