[Ffmpeg-devel] [PATCH] from DivX, Part 1: cosmectic changes

Michael Niedermayer michaelni
Sat Dec 17 03:19:35 CET 2005


Hi

On Fri, Dec 16, 2005 at 04:07:41PM -1000, Steve Lhomme wrote:
> Michael Niedermayer wrote:
> >Hi
> >
> >On Fri, Dec 16, 2005 at 03:20:38PM -1000, Steve Lhomme wrote:
> >
> >>>>The type of a sizeof() expression is size_t, which is unsigned.  Hence
> >>>>sizeof(foo) + x < x is impossible, unless the addition overflows.
> >>>
> >>>
> >>>yes, maybe looking at the next line clarifies the meaning behind this
> >>>d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
> >>>if it overflows, you will have a too small buffer ...
> >>
> >>The question is : will it overflow on a 32 bits system ?
> >>There are other example of such tests that I replaced with asserts.
> >
> >
> >well as io_buffer_size is practically a parameter to this function its a
> >question of how this function is used, and as the overflow would cause a
> >buffer overflow on the heap which might be exploitable i really dont think
> >you want this to be missing in non debug builds
> 
> You mean your OS will give you a buffer sized 0xFFFFFF0 ? I think on 
> windows to allocate that much space you need a special call. Otherwise 
> it will be NULL.

no you will allocate 0xFFFFFFFF + sizeof(DynBuffer) which equals
sizeof(DynBuffer) - 1 and no OS can catch that

[...]

-- 
Michael





More information about the ffmpeg-devel mailing list