[FFmpeg-devel] [RFC] Avoid av_read_frame memory copy in implementation
Sebastian Vater
cdgs.basty
Fri May 28 17:08:38 CEST 2010
Ronald S. Bultje a ?crit :
> Hi,
>
> On Fri, May 28, 2010 at 10:46 AM, Cyril Russo
> <stage.nexvision at laposte.net> wrote:
>
>> Ok, so I don't understand the code at all.
>> I've stopped on this code in av_dup_packet which is too mentally disturbing
>> to understand:
>> if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE)
>> return AVERROR(ENOMEM);
>>
>
> Calm down dude. :-). The code is a safety mechanism which prevents an
> integer overflow for very large values of pkt->size. It is very
> unlikely to happen for regular video/audio files, but more likely part
> of specially crafted packets/files intended to crash/exploit FFmpeg.
>
Hi Cyril, I'll add an example for more clarification, so that this is
more clear:
Let pkt->size be 65535 and unsigned be 16-bit for sake of simplify, so
it will overflow at 65536 to 0...
Let's say that: FF_INPUT_BUFFER_PADDING_SIZE is 16.
Therefore 65535+16 = 65551 => 15 (65551 mod 65536).
Thus the if-statement will become true because:
if (65535 > 15)
return AVERROR(ENOMEM);
Hope this helped!
--
Best regards,
:-) Basty/CDGS (-:
More information about the ffmpeg-devel
mailing list