[FFmpeg-devel] stsz overflow

Alex Converse alex.converse
Tue Aug 25 01:08:02 CEST 2009


On Mon, Aug 24, 2009 at 6:44 PM, Frank Barchard<fbarchard at google.com> wrote:
> On Mon, Aug 24, 2009 at 2:22 PM, Baptiste Coudurier <
> baptiste.coudurier at gmail.com> wrote:
>>
>> Why sizeof(int)*8 ?
>>
>
> Since field_size has been checked, how about that instead.
> Plus the code should free the previous alloc to avoid a leak.
> Note with this change the code will fail, but avoids a crash.
>
> Index: libavformat/mov.c
> ===================================================================
> --- libavformat/mov.c ? (revision 19695)
> +++ libavformat/mov.c ? (working copy)
> @@ -1262,6 +1262,10 @@
> ? ? if (!sc->sample_sizes)
> ? ? ? ? return AVERROR(ENOMEM);
>
> + ? ?if(entries >= UINT_MAX / field_size) {
> + ? ? ? ?av_freep(&sc->sample_sizes);
> + ? ? ? ?return -1;
> + ? ?}
> ? ? num_bytes = (entries*field_size+4)>>3;

The intermediate product here is the part that overflows. A final
num_bytes calculated with appropriate intermediate precision should
fit in in an unsigned 32-bit integer. Why not just fix that rather
than reduce the number of entries supported?



More information about the ffmpeg-devel mailing list