On Tue, May 24, 2016 at 12:32:19PM +0300, Andriy Lysnevych wrote: > This one removed: > > >> - if (!pkt->size) > >> - return av_new_packet(pkt, grow_by); > > pkt->size can be 0 but reference-counted buf allocated. av_new_packet > leads to memory leak in this case. (FIXME?) > > >> - if ((unsigned)grow_by > > >> - INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE)) > >> - return -1; > >> > >> new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE; > > > > you remove the overflow check, which makes this undefined behavior > > (note that this is also so when the value is not used) > > > > This check is not removed. It duplicated in two if branches:
The check must be before "new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;" the addition is undefined bahevior if it overflows [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Breaking DRM is a little like attempting to break through a door even though the window is wide open and the only thing in the house is a bunch of things you dont want and which you would get tomorrow for free anyway
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel