On Thu, Jul 30, 2015 at 12:28:36AM +0200, wm4 wrote: > On Thu, 30 Jul 2015 00:17:49 +0200 > Michael Niedermayer <mich...@niedermayer.cc> wrote: > > > On Wed, Jul 29, 2015 at 10:33:44PM +0200, wm4 wrote: > > > --- > > > If I read this right, the subtraction and comparison would be done in > > > unsigned, because size_t is unsigned. Which would make this check > > > ineffective. (p->buf_size is int.) > > > --- > > > libavformat/rawdec.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > i wonder why this wasnt noticed before > > ive the suspicioun the negative case cannot actually occur > > either way its a bug > > When not? I suppose normally nobody would make the probe buffer so > small, but what about small files?
to reach the loop you first need to have some contruct that parses into 2 valid looking frames and still be smaller than the string. a random small file will not trigger this, a crafted file might "work" [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Breaking DRM is a little like attempting to break through a door even though the window is wide open and the only thing in the house is a bunch of things you dont want and which you would get tomorrow for free anyway
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
