[FFmpeg-devel] [PATCH] IVF demuxer

David Conrad lessen42
Sat May 22 00:10:28 CEST 2010


On May 21, 2010, at 1:23 AM, Reimar D?ffinger wrote:

> On Thu, May 20, 2010 at 09:26:23PM -0400, David Conrad wrote:
>> +    int ret, size = get_le32(s->pb);
> 
> Forgot: reading a 32 bit value into a signed int and using it
> in av_get_packet without range check seems like a really bad idea to me.

av_get_packet has     if((unsigned)size < (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE)

which should check for it (though iirc there were some questions about it relied on undefined overflow behaviour?)



More information about the ffmpeg-devel mailing list