[Ffmpeg-devel] [PATCH] THP PCM decoder (GSoC Qualification)
Michael Niedermayer
michaelni
Sat Apr 7 14:55:33 CEST 2007
Hi
On Sat, Apr 07, 2007 at 02:17:40PM +0200, Marco Gerards wrote:
> Michael Niedermayer <michaelni at gmx.at> writes:
>
> Hi,
>
> [...]
>
> >> + /* Initialize the previous sample. */
> >> + for (ch = 0; ch < 2; ch++) {
> >> + prev1[ch] = get_sbits(&gb, 16);
> >> + prev2[ch] = get_sbits(&gb, 16);
> >> + }
> >> +
> >> + if (samples + samplecnt * (st + 1L) >= samples_end) {
> >> + av_log(avctx, AV_LOG_ERROR, "allocated output buffer is too small\n");
> >> + return -1;
> >> + }
> >
> > this check is still insufficient
> > samplecnt= 0xFFFFFFFF, st=0 will amongth many others still pass as long as
> > pointers are 32bit (yeah 32bit systems are still the majority AFIAK)
> > and on 64bit its a gamble if random pointer + 0xFFFFFFFF will overflow
> > probably it wont but thats just luck
>
> How about:
> if (samplecnt * (st + 1L) >= samples_end - samples) {
> av_log(avctx, AV_LOG_ERROR, "allocated output buffer is too small\n");
> return -1;
> }
>
> In that case I think no bad stuff will happen.
on 32bit systems, long and int are 32bit
0x80000000 * (1 + 1L) >= samples_end - samples
0x80000000 * 2L >= samples_end - samples
0 >= samples_end - samples
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070407/52c01643/attachment.pgp>
More information about the ffmpeg-devel
mailing list