[FFmpeg-devel] stsz overflow

Reimar Döffinger Reimar.Doeffinger
Tue Aug 25 20:32:04 CEST 2009


On Tue, Aug 25, 2009 at 11:21:51AM -0700, Frank Barchard wrote:
> On Tue, Aug 25, 2009 at 11:11 AM, Reimar D?ffinger <Reimar.Doeffinger at gmx.de
> > Or
> > if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
> > field_size)
> > as a compromise.
> 
> 
> I think this still has a bug if field_size is 4, because later it is
> multiplied by 8.

This limits "entries * field_size + 4". This is then divided by 8
(rounding down) and only that result is multiplied by 8.
x / 8 * 8 can't overflow ;-) (and for x >= 0 "(x >> 3) * 8 can't
either).



More information about the ffmpeg-devel mailing list