[FFmpeg-devel] [PATCH 2/4] avformat/mxfdec: Check count in mxf_read_strong_ref_array()

Michael Niedermayer michael at niedermayer.cc
Mon Mar 21 23:20:52 EET 2022


On Mon, Mar 21, 2022 at 11:06:14AM +0100, Tomas Härdin wrote:
> sön 2022-03-20 klockan 15:06 +0100 skrev Michael Niedermayer:
> > On Sun, Mar 20, 2022 at 02:05:41PM +0100, Tomas Härdin wrote:
> > > lör 2022-03-19 klockan 23:50 +0100 skrev Michael Niedermayer:
> > [...]
> > > > 
> > > > 
> > > > > 
> > > > > > +
> > > > > > +    //avio_read() used int
> > > > > > +    if (c > INT_MAX / sizeof(UID))
> > > > > > +        return AVERROR_PATCHWELCOME;
> > > > > > +    *count = c;
> > > > > > +
> > > > > 
> > > > > This should already be caught by av_calloc(), no?
> > > > 
> > > > the API as in the documentation of av_calloc() does not gurantee
> > > > this. 
> > > 
> > > Yes it does:
> > > 
> > >   The allocated memory will have size `size * nmemb` bytes.
> > >   [...]
> > >   `NULL` if the block cannot be allocated
> > 
> > void *av_calloc(size_t nmemb, size_t size)
> > size_t can be larger than int, so size * nmemb may be larger than
> > INT_MAX
> 
> Crap, you're right. This also brings to mind the question why
> packages_count etc are int rather than unsigned or uint32_t..
> 
> Patch is OK then

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Opposition brings concord. Out of discord comes the fairest harmony.
-- Heraclitus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220321/6f20ef97/attachment.sig>


More information about the ffmpeg-devel mailing list