[Ffmpeg-devel] [PATCH] THP PCM decoder (GSoC Qualification)

Michael Niedermayer michaelni
Sat Apr 7 14:55:33 CEST 2007


Hi

On Sat, Apr 07, 2007 at 02:17:40PM +0200, Marco Gerards wrote:
> Michael Niedermayer <michaelni at gmx.at> writes:
> 
> Hi,
> 
> [...]
> 
> >> +        /* Initialize the previous sample.  */
> >> +        for (ch = 0; ch < 2; ch++) {
> >> +            prev1[ch] = get_sbits(&gb, 16);
> >> +            prev2[ch] = get_sbits(&gb, 16);
> >> +        }
> >> +
> >> +        if (samples + samplecnt * (st + 1L) >= samples_end) {
> >> +            av_log(avctx, AV_LOG_ERROR, "allocated output buffer is too small\n");
> >> +            return -1;
> >> +        }
> >
> > this check is still insufficient
> > samplecnt= 0xFFFFFFFF, st=0 will amongth many others still pass as long as
> > pointers are 32bit (yeah 32bit systems are still the majority AFIAK)
> > and on 64bit its a gamble if random pointer + 0xFFFFFFFF will overflow
> > probably it wont but thats just luck
> 
> How about:
>         if (samplecnt * (st + 1L) >= samples_end - samples) {
>             av_log(avctx, AV_LOG_ERROR, "allocated output buffer is too small\n");
>             return -1;
>         }
> 
> In that case I think no bad stuff will happen.

on 32bit systems, long and int are 32bit

0x80000000 * (1 + 1L) >= samples_end - samples
0x80000000 * 2L       >= samples_end - samples
0                     >= samples_end - samples

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070407/52c01643/attachment.pgp>



More information about the ffmpeg-devel mailing list