[FFmpeg-devel] stsz overflow

Reimar Döffinger Reimar.Doeffinger
Tue Aug 25 22:40:11 CEST 2009


On Tue, Aug 25, 2009 at 12:38:31PM -0700, Frank Barchard wrote:
> On Tue, Aug 25, 2009 at 11:32 AM, Reimar D?ffinger <Reimar.Doeffinger at gmx.de
> > wrote:
> 
> > On Tue, Aug 25, 2009 at 11:21:51AM -0700, Frank Barchard wrote:
> > > On Tue, Aug 25, 2009 at 11:11 AM, Reimar D?ffinger <
> > Reimar.Doeffinger at gmx.de
> > > > Or
> > > > if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) /
> > > > field_size)
> > > > as a compromise.
> > >
> > >
> > > I think this still has a bug if field_size is 4, because later it is
> > > multiplied by 8.
> >
> > This limits "entries * field_size + 4". This is then divided by 8
> > (rounding down) and only that result is multiplied by 8.
> > x / 8 * 8 can't overflow ;-) (and for x >= 0 "(x >> 3) * 8 can't
> > either).
> 
> 
> okay.  The malloc adds another 8 (FF_INPUT_BUFFER_PADDING_SIZE).  Is that a
> problem?

Since multiplying by 8 does not overflow, only if
FF_INPUT_BUFFER_PADDING_SIZE > UINT_MAX / 8.
I sure hope it will never be :-P



More information about the ffmpeg-devel mailing list