[FFmpeg-devel] [PATCH] IVF demuxer

Reimar Döffinger Reimar.Doeffinger
Sat May 22 09:17:39 CEST 2010

On Fri, May 21, 2010 at 06:10:28PM -0400, David Conrad wrote:
> On May 21, 2010, at 1:23 AM, Reimar D?ffinger wrote:
> > On Thu, May 20, 2010 at 09:26:23PM -0400, David Conrad wrote:
> >> +    int ret, size = get_le32(s->pb);
> > 
> > Forgot: reading a 32 bit value into a signed int and using it
> > in av_get_packet without range check seems like a really bad idea to me.
> av_get_packet has     if((unsigned)size < (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE)
> which should check for it (though iirc there were some questions about it relied on undefined overflow behaviour?)

No, it only checks for overflow due to adding padding.
With size < 0 e.g. get_buffer won't read any data so you would
always get an empty packet, thus doing a several GB malloc
and the free.
It should be safe to do as it is, but it's not a good implementation IMO.

More information about the ffmpeg-devel mailing list