On Mon, Jul 3, 2017 at 3:56 AM, Moritz Barsnick <barsn...@gmx.net> wrote:
> On Sun, Jul 02, 2017 at 20:48:17 +0530, Paras Chadha wrote:
> > + int64_t header_size = 0, data_size=0, ret, pcount=0, gcount=1, d;
> [...]
> > + header_size += 80;
> [...]
> > + header_size += 80;
> [...]
> > + header_size += 80;
> [...]
> > + for (i = 0; i < naxis; i++) {
> [...]
> > + header_size += 80;
> [...]
> > + header_size += 80;
> [...]
> > + while (strncmp(buf, "END", 3)) {
> [...]
> > + header_size += 80;
> > + }
> > +
> > + header_size = ceil(header_size/2880.0)*2880;
> > + if (header_size < 0)
> > + return AVERROR_INVALIDDATA;
>
> How can this happen, except by integer overflow?
>
It will not happen except in case of integer overflow.
>
> > + if (data_size < 0)
> > + return AVERROR_INVALIDDATA;
> > +
> > + if (!data_size) {
> > + fits->image = 0;
> > + } else {
> > + data_size = ceil(data_size/2880.0)*2880;
> > + if (data_size < 0)
> > + return AVERROR_INVALIDDATA;
>
> How can this occur?
It will not occur except in case of integer overflow.
If you are asking for specific case when this 'if' will execute then, set
data_size = LLONG_MAX - 1. Due to ceil function the final value will become
greater than LLONG_MAX. So, the statement inside 'if' will execute.
> Moritz
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
