[FFmpeg-devel] av_strlcpy() size parameter signedness

Rich Felker dalias
Sat Sep 29 03:27:02 CEST 2007


On Sat, Sep 29, 2007 at 01:37:48AM +0200, Michael Niedermayer wrote:
> Hi
> 
> currently the buffer size parameter for av_strlcpy() (and friends) 
> is unsigned this makes sense and is logic but it has a flaw
> that is if a negative value is mistakely used something very bad happens
> 
> how can a negative value be assigned?
> 
> av_strlcpy(... FFMIN(buf_size, something))
> with something being <0 and buf_size signed

This sounds like a bogus construct. We should find out why values that
can be negative are being used in sizes like this. A hack to make the
problem go away is not appropriate; it's just covering up the
underlying bug.

> i propose that we add a check to the functions so that they treat
> sizes > INT_MAX like 0 (or a equivalent simpler solution)
> 
> comments welcome...

IMO it's bad to have a function called strlcpy (even with av_ prefix)
whose semantics are different from the standard BSD function.

Rich




More information about the ffmpeg-devel mailing list