[Ffmpeg-devel] [PATCH] from DivX, Part 1: cosmectic changes
Michael Niedermayer
michaelni
Sat Dec 17 02:32:45 CET 2005
Hi
On Fri, Dec 16, 2005 at 03:20:38PM -1000, Steve Lhomme wrote:
> >>The type of a sizeof() expression is size_t, which is unsigned. Hence
> >>sizeof(foo) + x < x is impossible, unless the addition overflows.
> >
> >
> >yes, maybe looking at the next line clarifies the meaning behind this
> >d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
> >if it overflows, you will have a too small buffer ...
>
> The question is : will it overflow on a 32 bits system ?
> There are other example of such tests that I replaced with asserts.
well as io_buffer_size is practically a parameter to this function its a
question of how this function is used, and as the overflow would cause a
buffer overflow on the heap which might be exploitable i really dont think
you want this to be missing in non debug builds
[...]
--
Michael
More information about the ffmpeg-devel
mailing list