[FFmpeg-devel] [PATCH 001/244] Add a new channel layout API
Anton Khirnov
anton at khirnov.net
Tue Jan 14 17:51:00 EET 2020
Quoting Nicolas George (2020-01-14 15:46:17)
> Anton Khirnov (12020-01-12):
> > Your explanation does not make sense to me. Checking for negative values
> > is not guarding against overflow, it's "checking after the fact whether
> > overflow occurred". Any such checks, whether signed or unsigned, are
> > necessarily invalid and broken (hence the quotes). Guarding against
> > overflow must always be done by checking BEFORE the operation that might
> > overflow - again both for signed and unsigned.
> >
> > From this angle, there is no difference between using signed and
> > unsigned values. The fact that in one case the overflow would have been
> > UB and the other wouldn't changes nothing here.
>
> You are right: if the code is known to be 100% bug-free, then it makes
> no difference. But even TeX's code is not known to be 100% bug-free. And
> when there may be bugs, I think I have given ample proof that signed
> with UB are more dangerous than unsigned with modular arithmetic.
No you certainly have not. If buggy code produces an invalid channel
count through overflow, then you are screwed no matter what. The fact
that one of the overflows is UB and the other is not has zero impact on
the fact that the channel count is unusable garbage (as I already
said).
--
Anton Khirnov
More information about the ffmpeg-devel
mailing list