fre 2026-05-29 klockan 05:11 +0200 skrev Michael Niedermayer via
ffmpeg-devel:
> Hi Tomas
>
> On Thu, May 28, 2026 at 10:41:05PM +0200, Tomas Härdin via ffmpeg-
> devel wrote:
> > tor 2026-05-21 klockan 19:23 +0000 skrev michaelni via ffmpeg-
> > devel:
> > > @@ -1438,12 +1438,12 @@ static int
> > > mxf_read_generic_descriptor(void
> > > *arg, AVIOContext *pb, int tag, int
> > > break;
> > > default:
> > > /* Private uid used by SONY C0023S01.mxf */
> > > - if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) {
> > > + if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata) && size <=
> > > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
> >
> > Did the "AI" tell you to add this useless check? All descriptors we
> > support use 2-byte lengths due to byte 5 of the UID being 0x53, and
> > I'm
> > reasonably sure we assume int is >= 32 bits. See section 9.3 of
> > S377m
>
> The security report contained this as part of the suggested change
> and we failed to detect it.
It's essentially a no-op in this case so not really a problem. But it
does raise some concerns about future contributions. MXF is difficult
enough to grasp as it is, and if this was automatically generated then
it demonstrates an inability of these systems to actually understand
what they're doing. This isn't news to me since I already knew machines
cannot produce value, nor think. But I know it's news to people who
haven't been through previous AI hype cycles.
> Its an example why these AI generated reports are such a pain.
Getting reports is probably a good thing, so long as there aren't too
many false positives. Generated code on the other hand, besides the
obvious "blind idiot" problem, are also a huge copyright issue. We
should ban all AI contributions for this reason alone.
/Tomas
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
