[FFmpeg-devel] stsz overflow

Frank Barchard fbarchard
Tue Aug 25 20:21:51 CEST 2009


On Tue, Aug 25, 2009 at 11:11 AM, Reimar D?ffinger <Reimar.Doeffinger at gmx.de
> wrote:

> Seems reasonable to me, except for the comment.
> A buffer overrun/overflow is only the secondary effect.
> The right comment should be something like "avoids integer
> overflow in multiplication with field_size".
> Particularly mentioning field_size may reduce the risk of forgetting
> to change this if ever e.g. field_size == 64 should become possible.


Agreed.


> Or
> if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
> field_size)
> as a compromise.


I think this still has a bug if field_size is 4, because later it is
multiplied by 8.
Simple patch with comment change.  The earlier patch with int64 math is also
fully functional.

Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c   (revision 19697)
+++ libavformat/mov.c   (working copy)
@@ -1256,7 +1256,7 @@
         return -1;
     }

-    if(entries >= UINT_MAX / sizeof(int))
+    if(entries >= UINT_MAX / 32)  /* avoids integer overflow in
multiplication with field_size */
         return -1;
     sc->sample_sizes = av_malloc(entries * sizeof(int));
     if (!sc->sample_sizes)



More information about the ffmpeg-devel mailing list