[Ffmpeg-devel] [PATCH] from DivX, Part 1: cosmectic changes
Måns Rullgård
mru
Sat Dec 17 11:28:57 CET 2005
Michael Niedermayer <michaelni at gmx.at> writes:
> Hi
>
> On Fri, Dec 16, 2005 at 04:07:41PM -1000, Steve Lhomme wrote:
>> Michael Niedermayer wrote:
>> >Hi
>> >
>> >On Fri, Dec 16, 2005 at 03:20:38PM -1000, Steve Lhomme wrote:
>> >
>> >>>>The type of a sizeof() expression is size_t, which is unsigned. Hence
>> >>>>sizeof(foo) + x < x is impossible, unless the addition overflows.
>> >>>
>> >>>
>> >>>yes, maybe looking at the next line clarifies the meaning behind this
>> >>>d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
>> >>>if it overflows, you will have a too small buffer ...
>> >>
>> >>The question is : will it overflow on a 32 bits system ?
>> >>There are other example of such tests that I replaced with asserts.
>> >
>> >
>> >well as io_buffer_size is practically a parameter to this function its a
>> >question of how this function is used, and as the overflow would cause a
>> >buffer overflow on the heap which might be exploitable i really dont think
>> >you want this to be missing in non debug builds
>>
>> You mean your OS will give you a buffer sized 0xFFFFFF0 ? I think on
>> windows to allocate that much space you need a special call. Otherwise
>> it will be NULL.
>
> no you will allocate 0xFFFFFFFF + sizeof(DynBuffer) which equals
> sizeof(DynBuffer) - 1 and no OS can catch that
If you are trying to allocate a buffer that large, there is obviously
something wrong somewhere. Catching it is probably a good thing.
--
M?ns Rullg?rd
mru at inprovide.com
More information about the ffmpeg-devel
mailing list