[FFmpeg-devel] [PATCH 2/4] avformat/mxfdec: Check count in mxf_read_strong_ref_array()
Michael Niedermayer
michael at niedermayer.cc
Mon Mar 21 23:20:52 EET 2022
On Mon, Mar 21, 2022 at 11:06:14AM +0100, Tomas Härdin wrote:
> sön 2022-03-20 klockan 15:06 +0100 skrev Michael Niedermayer:
> > On Sun, Mar 20, 2022 at 02:05:41PM +0100, Tomas Härdin wrote:
> > > lör 2022-03-19 klockan 23:50 +0100 skrev Michael Niedermayer:
> > [...]
> > > >
> > > >
> > > > >
> > > > > > +
> > > > > > + //avio_read() used int
> > > > > > + if (c > INT_MAX / sizeof(UID))
> > > > > > + return AVERROR_PATCHWELCOME;
> > > > > > + *count = c;
> > > > > > +
> > > > >
> > > > > This should already be caught by av_calloc(), no?
> > > >
> > > > the API as in the documentation of av_calloc() does not gurantee
> > > > this.
> > >
> > > Yes it does:
> > >
> > > The allocated memory will have size `size * nmemb` bytes.
> > > [...]
> > > `NULL` if the block cannot be allocated
> >
> > void *av_calloc(size_t nmemb, size_t size)
> > size_t can be larger than int, so size * nmemb may be larger than
> > INT_MAX
>
> Crap, you're right. This also brings to mind the question why
> packages_count etc are int rather than unsigned or uint32_t..
>
> Patch is OK then
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Opposition brings concord. Out of discord comes the fairest harmony.
-- Heraclitus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220321/6f20ef97/attachment.sig>
More information about the ffmpeg-devel
mailing list