[Ffmpeg-devel] [PATCH] ported SGI decoder to the new API

Michael Niedermayer michaelni
Tue Mar 27 13:39:39 CEST 2007


Hi

On Tue, Mar 27, 2007 at 10:10:27AM +0800, Xiaohui Sun wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Michael Niedermayer wrote:
> > Hi
> > 
> > On Mon, Mar 26, 2007 at 10:28:30AM +0800, Xiaohui Sun wrote:
> > [...]
> >>> [...]
> >>>> +
> >>>> + for (z = 0; z < zsize; z++) {
> >>>> + for (y = 0; y < ysize; y++) {
> >>>> + dest_row = ptr + (ysize - 1 - y) * (xsize * zsize);
> >>> whatever this is supposed to do the multiplication can overflow
> >>> which considering this is a destination pointer to write is not good
> >> then where should the decoded buffer be written to.
> > 
> > whereever you like, just not in unallocated memory
> 
> I have allocated buffer in line 234 : avctx->get_buffer(avctx, p) I am
> not is this the right place to do the allocation?

the problem is that the multiplication can overflow like
ysize=65535
xsize=65535
zsize=3
y=0
(ysize - 1 - y) * (xsize * zsize)= 12884312070
(int)12884312070 = -589818

which when added with ptr points prior to the array

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The educated differ from the uneducated as much as the living from the
dead. -- Aristotle 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070327/c88a4f55/attachment.pgp>



More information about the ffmpeg-devel mailing list