[FFmpeg-devel] stsz overflow
Tue Aug 25 22:40:11 CEST 2009
On Tue, Aug 25, 2009 at 12:38:31PM -0700, Frank Barchard wrote:
> On Tue, Aug 25, 2009 at 11:32 AM, Reimar D?ffinger <Reimar.Doeffinger at gmx.de
> > wrote:
> > On Tue, Aug 25, 2009 at 11:21:51AM -0700, Frank Barchard wrote:
> > > On Tue, Aug 25, 2009 at 11:11 AM, Reimar D?ffinger <
> > Reimar.Doeffinger at gmx.de
> > > > Or
> > > > if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
> > > > field_size)
> > > > as a compromise.
> > >
> > >
> > > I think this still has a bug if field_size is 4, because later it is
> > > multiplied by 8.
> > This limits "entries * field_size + 4". This is then divided by 8
> > (rounding down) and only that result is multiplied by 8.
> > x / 8 * 8 can't overflow ;-) (and for x >= 0 "(x >> 3) * 8 can't
> > either).
> okay. The malloc adds another 8 (FF_INPUT_BUFFER_PADDING_SIZE). Is that a
Since multiplying by 8 does not overflow, only if
FF_INPUT_BUFFER_PADDING_SIZE > UINT_MAX / 8.
I sure hope it will never be :-P
More information about the ffmpeg-devel