> -----Original Message----- > From: ffmpeg-devel <ffmpeg-devel-boun...@ffmpeg.org> On Behalf Of > Carl Eugen Hoyos > Sent: Sunday, 8 August 2021 01:58 > To: FFmpeg development discussions and patches <ffmpeg- > de...@ffmpeg.org> > Subject: Re: [FFmpeg-devel] [PATCH v2] libavformat/asfdec: Fix regression > bug when reading image attachments > > Am So., 8. Aug. 2021 um 01:53 Uhr schrieb Soft Works > <softwo...@hotmail.com>: > > > > Commit c8140fe7324f264faacf7395b27e12531d1f13f7 had introduced a > check for value_len > UINT16_MAX. > > As a consequence, attached images of sizes larger than UINT16_MAX could > no longer be read. > > > > Signed-off-by: softworkz <softwo...@hotmail.com> > > --- > > v2: Fix without changing variable type libavformat/asfdec_f.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index > > ff6ddfb967..b9f3918495 100644 > > --- a/libavformat/asfdec_f.c > > +++ b/libavformat/asfdec_f.c > > @@ -614,7 +614,7 @@ static int asf_read_metadata(AVFormatContext *s, > int64_t size) > > value_type = avio_rl16(pb); /* value_type */ > > value_len = avio_rl32(pb); > > > > - if (value_len < 0 || value_len > UINT16_MAX) > > + if (value_len < 0) > > return AVERROR_INVALIDDATA; > > I may misread the code but it appears to me that an assert can be triggered > now, no?
Right, for these 11 discrete size values only, though: 2147483647, 2147483646, 2147483645, 2147483644, 2147483643, 2147483642, 2147483641, 2147483640, 2147483639, 2147483638 2147483636 A chance of 11 in 4 Billions :-) TBH, I don't understand this assert. When the attachment is too large to handle, we should rather log a warning and goto finish instead IMO. softworkz _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
