[FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet
Andriy Lysnevych
andriy.lysnevych at gmail.com
Tue May 24 11:32:19 CEST 2016
This one removed:
>> - if (!pkt->size)
>> - return av_new_packet(pkt, grow_by);
pkt->size can be 0 but reference-counted buf allocated. av_new_packet
leads to memory leak in this case. (FIXME?)
>> - if ((unsigned)grow_by >
>> - INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
>> - return -1;
>>
>> new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
>
> you remove the overflow check, which makes this undefined behavior
> (note that this is also so when the value is not used)
>
This check is not removed. It duplicated in two if branches:
if (pkt->buf) {
+ int data_offset = pkt->data - pkt->buf->data;
+ if ((unsigned)grow_by >
+ INT_MAX - (pkt->size + data_offset + AV_INPUT_BUFFER_PADDING_SIZE))
+ return -1;
...
} else {
+ if ((unsigned)grow_by >
+ INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
+ return -1;
...
}
Please specify more detailed if I missed something. Thanks!
More information about the ffmpeg-devel
mailing list