[FFmpeg-cvslog] r18088 - trunk/libavformat/mxfdec.c

Reimar Döffinger Reimar.Doeffinger
Sun Mar 22 10:31:37 CET 2009


On Sat, Mar 21, 2009 at 08:20:43PM -0700, Baptiste Coudurier wrote:
> bcoudurier wrote:
> > Author: bcoudurier
> > Date: Sat Mar 21 01:50:51 2009
> > New Revision: 18088
> > 
> > Log:
> > protect realloc overflow
> > 
> > Modified:
> >    trunk/libavformat/mxfdec.c
> > 
> > Modified: trunk/libavformat/mxfdec.c
> > ==============================================================================
> > --- trunk/libavformat/mxfdec.c	Sat Mar 21 01:50:19 2009	(r18087)
> > +++ trunk/libavformat/mxfdec.c	Sat Mar 21 01:50:51 2009	(r18088)
> > @@ -364,6 +364,8 @@ static int mxf_read_primer_pack(MXFConte
> >  
> >  static int mxf_add_metadata_set(MXFContext *mxf, void *metadata_set)
> >  {
> > +    if (mxf->metadata_sets_count+1 >= UINT_MAX / sizeof(*mxf->metadata_sets))
> > +        return AVERROR(ENOMEM);
> >      mxf->metadata_sets = av_realloc(mxf->metadata_sets, (mxf->metadata_sets_count + 1) * sizeof(*mxf->metadata_sets));
> >      if (!mxf->metadata_sets)
> >          return -1;
> 
> Just to be sure, is the test sufficient and the best ?

Depends is metadata_sets_count int or unsigned?
The +1 can most likely overflow, simple rule: a working overflow check
will almost always have the check variable standing alone on one side.
Writing the equation the naive way and moving everything else to the other
side often works, you just have to make sure rounding happens the right
way around.



More information about the ffmpeg-cvslog mailing list