[FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet
Michael Niedermayer
michael at niedermayer.cc
Tue May 24 12:57:15 CEST 2016
On Tue, May 24, 2016 at 12:32:19PM +0300, Andriy Lysnevych wrote:
> This one removed:
>
> >> - if (!pkt->size)
> >> - return av_new_packet(pkt, grow_by);
>
> pkt->size can be 0 but reference-counted buf allocated. av_new_packet
> leads to memory leak in this case. (FIXME?)
>
> >> - if ((unsigned)grow_by >
> >> - INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
> >> - return -1;
> >>
> >> new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
> >
> > you remove the overflow check, which makes this undefined behavior
> > (note that this is also so when the value is not used)
> >
>
> This check is not removed. It duplicated in two if branches:
The check must be before
"new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;"
the addition is undefined bahevior if it overflows
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160524/ed880cbc/attachment.sig>
More information about the ffmpeg-devel
mailing list