On Mon, Feb 15, 2021 at 2:02 AM Carl Eugen Hoyos <ceffm...@gmail.com> wrote:
> Am So., 14. Feb. 2021 um 18:57 Uhr schrieb Nuo Mi <nuomi2...@gmail.com>: > > > > > https://github.com/FFmpeg/FFmpeg/blob/21346672270ae723aa774a9c8b0749954a75b3df/libavcodec/movtextenc.c#L110 > > > > > > s->count * sizeof(*s->style_attributes) never > 32 bits. > > > > > > This is not correct afaict: > > > The relevant line is 369 not 110, count is of type unsigned and if you > > > multiply it with something >1, it can overflow. > > > > > You are right, the count is unsigned int, but > > > https://github.com/FFmpeg/FFmpeg/blob/21346672270ae723aa774a9c8b0749954a75b3df/libavcodec/movtextenc.c#L112 > > tells us the value never > 16 bits > > No, this is not correct: > Line 112 does not know how often line 369 was called. > Yes, we can check s->count <= UINT16_MAX before 369. It will make sure we never overflow. > > Carl Eugen > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
