[FFmpeg-devel] Overflow check for frame_size in v4l.c

Stefano Sabatini stefano.sabatini-lala
Sat Dec 27 15:12:59 CET 2008


On date Saturday 2008-12-27 14:36:37 +0100, Michael Niedermayer encoded:
> On Sat, Dec 27, 2008 at 12:51:33PM +0100, Stefano Sabatini wrote:
> > On date Friday 2008-12-26 14:09:20 +0100, Michael Niedermayer encoded:
> > > On Fri, Dec 26, 2008 at 11:36:36AM +0100, Stefano Sabatini wrote:
> > > > On date Friday 2008-12-26 00:52:12 +0100, Michael Niedermayer encoded:
> > > > > On Wed, Dec 24, 2008 at 03:37:05PM +0100, Stefano Sabatini wrote:
> > > [...]
> > > > > [...]
> > > > > 
> > > > > 
> > > > > > Index: ffmpeg/libavdevice/v4l.c
> > > > > > ===================================================================
> > > > > > --- ffmpeg.orig/libavdevice/v4l.c	2008-12-21 23:45:13.000000000 +0100
> > > > > > +++ ffmpeg/libavdevice/v4l.c	2008-12-24 13:34:57.000000000 +0100
> > > > > > @@ -84,11 +84,6 @@
> > > > > >      }
> > > > > >      s->time_base = ap->time_base;
> > > > > >  
> > > > > > -    if((unsigned)ap->width > 32767 || (unsigned)ap->height > 32767) {
> > > > > > -        av_log(s1, AV_LOG_ERROR, "Capture size is out of range: %dx%d\n",
> > > > > > -            ap->width, ap->height);
> > > > > > -        return -1;
> > > > > > -    }
> > > > > >      s->video_win.width = ap->width;
> > > > > >      s->video_win.height = ap->height;
> > > > > >  
> > > > > ?
> > > > 
> > > > The idea is that this check is useless, since either the VIDIOCSWIN
> > > > either the VIDIOCMCAPTURE iotctl will perform a check on the size (but
> > > > I don't know where the 32767 value comes from).
> > > 
> > > I think the check is insufficient and more not less checking is needed
> > > 
> > >  frame_size = s->video_win.width * s->video_win.height * video_formats[j].depth / 8;
> > > 
> > > will not work with 32767*32767*...
> > 
> > OK, 32767 = 2^15 -1.
> > 
> > We may then check for 16383 = 2^14 -1 (check the patch below), or
> > maybe some function like these ones may help:
> 
> avcodec_check_dimensions()

I don't think it is a good idea to use that function here, its domain
is very specific and here we have to check the result of a
multiplication with *three* operands.

I propose three possible choices:

1) Implement a stricter check.

   Since we have
   frame_size =  s->video_win.width * s->video_win.height * video_formats[j].depth / 8;

   and video_formats[j].depth / 8 is at maximum 3, then we have:

   X * X * 3 < 2 ^ 31 -1;

   that is:
   X * X < (2^31 - 1) / 3

   max_X = tail (sqrt ((2^31 - 1) / 3)) = 26754

   so we could check for width/heigth <= 26754

   Or if we want to be more prudent, we can replace 3 with 8, then we have
   max_X = 16383.

2) Introduce some generic function in libavutil such as av_safe_mul32()
   as proposed in the previous post and use it.

3) Leave the check as it is, if we're lucky no one will ever have any
   problem with the non-strict-enough check, since valid values for
   height and width are unlikely to generate an overflow.

Regards.
-- 
FFmpeg = Frightening Free Moronic Pitiless Eager Geisha




More information about the ffmpeg-devel mailing list