Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation
On Wed, Oct 17, 2012 at 11:59 PM, Måns Rullgård m...@mansr.com wrote: Reinhard Tartler siret...@gmail.com writes: On Wed, Oct 17, 2012 at 11:39 PM, Måns Rullgård m...@mansr.com wrote: Reinhard Tartler siret...@tauware.de writes: From: Michael Niedermayer michae...@gmx.at Fixes Ticket1629 Signed-off-by: Michael Niedermayer michae...@gmx.at (cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6) Signed-off-by: Reinhard Tartler siret...@tauware.de --- libavcodec/escape124.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..c04af69 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (!can_safely_read(gb, size * 34L)) return cb; Would this be a better condition then: if (size=UINT_MAX/34 || !can_safely_read(gb, size * 34U)) return cb; size is unsigned so the U suffix isn't needed. Moreover, I wonder if the can_safely_read() thing is even needed in most places now that we have the safe bitstream reader. Certainly some of them are unnecessary. Would the following do then? diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..5d050dc 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (size=UINT_MAX/34 || !can_safely_read(gb, size * 34)) return cb; if (size = INT_MAX / sizeof(MacroBlock)) -- regards, Reinhard ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation
Reinhard Tartler siret...@gmail.com writes: Would the following do then? diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..5d050dc 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (size=UINT_MAX/34 || !can_safely_read(gb, size * 34)) return cb; If you check against overflow here there is no need to make the argument 64-bit. In fact, in this form doing so has no effect at all since the overflow would have already happened before the 64-bit conversion. -- Måns Rullgård m...@mansr.com ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation
From: Michael Niedermayer michae...@gmx.at Fixes Ticket1629 Signed-off-by: Michael Niedermayer michae...@gmx.at (cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6) Signed-off-by: Reinhard Tartler siret...@tauware.de --- libavcodec/escape124.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..c04af69 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (!can_safely_read(gb, size * 34L)) return cb; if (size = INT_MAX / sizeof(MacroBlock)) -- 1.7.9.5 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation
Reinhard Tartler siret...@tauware.de writes: From: Michael Niedermayer michae...@gmx.at Fixes Ticket1629 Signed-off-by: Michael Niedermayer michae...@gmx.at (cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6) Signed-off-by: Reinhard Tartler siret...@tauware.de --- libavcodec/escape124.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..c04af69 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (!can_safely_read(gb, size * 34L)) return cb; This is wrong. The L suffix has no effect on 32-bit systems. -- Måns Rullgård m...@mansr.com ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation
On Wed, Oct 17, 2012 at 11:39 PM, Måns Rullgård m...@mansr.com wrote: Reinhard Tartler siret...@tauware.de writes: From: Michael Niedermayer michae...@gmx.at Fixes Ticket1629 Signed-off-by: Michael Niedermayer michae...@gmx.at (cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6) Signed-off-by: Reinhard Tartler siret...@tauware.de --- libavcodec/escape124.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..c04af69 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (!can_safely_read(gb, size * 34L)) return cb; Would this be a better condition then: if (size=UINT_MAX/34 || !can_safely_read(gb, size * 34U)) return cb; ? -- regards, Reinhard ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH 3/5] escape124: fix integer overflow leading to excessive memory allocation
Reinhard Tartler siret...@gmail.com writes: On Wed, Oct 17, 2012 at 11:39 PM, Måns Rullgård m...@mansr.com wrote: Reinhard Tartler siret...@tauware.de writes: From: Michael Niedermayer michae...@gmx.at Fixes Ticket1629 Signed-off-by: Michael Niedermayer michae...@gmx.at (cherry picked from commit 3d7817048cb387de87600f2152075f78b37b60a6) Signed-off-by: Reinhard Tartler siret...@tauware.de --- libavcodec/escape124.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 40224fb..c04af69 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -48,7 +48,7 @@ typedef struct Escape124Context { CodeBook codebooks[3]; } Escape124Context; -static int can_safely_read(GetBitContext* gb, int bits) { +static int can_safely_read(GetBitContext* gb, uint64_t bits) { return get_bits_left(gb) = bits; } @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; -if (!can_safely_read(gb, size * 34)) +if (!can_safely_read(gb, size * 34L)) return cb; Would this be a better condition then: if (size=UINT_MAX/34 || !can_safely_read(gb, size * 34U)) return cb; size is unsigned so the U suffix isn't needed. Moreover, I wonder if the can_safely_read() thing is even needed in most places now that we have the safe bitstream reader. Certainly some of them are unnecessary. -- Måns Rullgård m...@mansr.com ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel