Re: [FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet

Andriy Lysnevych Tue, 24 May 2016 02:33:13 -0700

This one removed:

>> -    if (!pkt->size)
>> -        return av_new_packet(pkt, grow_by);


pkt->size can be 0 but reference-counted buf allocated. av_new_packet
leads to memory leak in this case. (FIXME?)

>> -    if ((unsigned)grow_by >
>> -        INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
>> -        return -1;
>>
>>      new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
>
> you remove the overflow check, which makes this undefined behavior
> (note that this is also so when the value is not used)
>

This check is not removed. It duplicated in two if branches:

if (pkt->buf) {
+        int data_offset = pkt->data - pkt->buf->data;
+        if ((unsigned)grow_by >
+            INT_MAX - (pkt->size + data_offset + AV_INPUT_BUFFER_PADDING_SIZE))
+            return -1;
...
} else {
+        if ((unsigned)grow_by >
+            INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
+            return -1;
...
}

Please specify more detailed if I missed something. Thanks!
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet

Reply via email to