[FFmpeg-devel] stsz overflow

Frank Barchard fbarchard
Tue Aug 25 21:38:31 CEST 2009


On Tue, Aug 25, 2009 at 11:32 AM, Reimar D?ffinger <Reimar.Doeffinger at gmx.de
> wrote:

> On Tue, Aug 25, 2009 at 11:21:51AM -0700, Frank Barchard wrote:
> > On Tue, Aug 25, 2009 at 11:11 AM, Reimar D?ffinger <
> Reimar.Doeffinger at gmx.de
> > > Or
> > > if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
> > > field_size)
> > > as a compromise.
> >
> >
> > I think this still has a bug if field_size is 4, because later it is
> > multiplied by 8.
>
> This limits "entries * field_size + 4". This is then divided by 8
> (rounding down) and only that result is multiplied by 8.
> x / 8 * 8 can't overflow ;-) (and for x >= 0 "(x >> 3) * 8 can't
> either).


okay.  The malloc adds another 8 (FF_INPUT_BUFFER_PADDING_SIZE).  Is that a
problem?

    buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);

if (entries>= UINT_MAX / sizeof(int) || entries>= (UINT_MAX - 4) /
field_size - FF_INPUT_BUFFER_PADDING_SIZE)



More information about the ffmpeg-devel mailing list