[FFmpeg-devel] [PATCH 2/4] avformat/mxfdec: Check count in mxf_read_strong_ref_array()
Tomas Härdin
tjoppen at acc.umu.se
Mon Mar 21 12:06:14 EET 2022
sön 2022-03-20 klockan 15:06 +0100 skrev Michael Niedermayer:
> On Sun, Mar 20, 2022 at 02:05:41PM +0100, Tomas Härdin wrote:
> > lör 2022-03-19 klockan 23:50 +0100 skrev Michael Niedermayer:
> [...]
> > >
> > >
> > > >
> > > > > +
> > > > > + //avio_read() used int
> > > > > + if (c > INT_MAX / sizeof(UID))
> > > > > + return AVERROR_PATCHWELCOME;
> > > > > + *count = c;
> > > > > +
> > > >
> > > > This should already be caught by av_calloc(), no?
> > >
> > > the API as in the documentation of av_calloc() does not gurantee
> > > this.
> >
> > Yes it does:
> >
> > The allocated memory will have size `size * nmemb` bytes.
> > [...]
> > `NULL` if the block cannot be allocated
>
> void *av_calloc(size_t nmemb, size_t size)
> size_t can be larger than int, so size * nmemb may be larger than
> INT_MAX
Crap, you're right. This also brings to mind the question why
packages_count etc are int rather than unsigned or uint32_t..
Patch is OK then
/Tomas
More information about the ffmpeg-devel
mailing list