Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation

Måns Rullgård Fri, 19 Oct 2012 09:47:33 -0700

Reinhard Tartler <siret...@gmail.com> writes:

> Would the following do then?
>
> diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
> index 40224fb..5d050dc 100644
> --- a/libavcodec/escape124.c
> +++ b/libavcodec/escape124.c
> @@ -48,7 +48,7 @@ typedef struct Escape124Context {
>      CodeBook codebooks[3];
>  } Escape124Context;
>
> -static int can_safely_read(GetBitContext* gb, int bits) {
> +static int can_safely_read(GetBitContext* gb, uint64_t bits) {
>      return get_bits_left(gb) >= bits;
>  }
>
> @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb,
> unsigned depth,
>      unsigned i, j;
>      CodeBook cb = { 0 };
>
> -    if (!can_safely_read(gb, size * 34))
> +    if (size>=UINT_MAX/34 || !can_safely_read(gb, size * 34))
>          return cb;


If you check against overflow here there is no need to make the argument
64-bit.  In fact, in this form doing so has no effect at all since the
overflow would have already happened before the 64-bit conversion.

-- 
Måns Rullgård
m...@mansr.com
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation

Reply via email to