On Thu, Aug 14, 2025 at 04:18:03PM +0200, Nicolas George wrote: > Kieran Kunhya via ffmpeg-devel (HE12025-08-14): > > I don't think we should partake in this "security vulnerability farming" > > exercise. This isn't a security issue and it spams the code with integer > > overflow checks to fix a theoretical issue. > > This is my take on this kind of “bugs” too.
I have no oppinion on this, but if INT_MAX hours gives undefined behavior then the API documentation has to exclude that as valid input range and all callers must be checked. (which may imply equivalent checks in some callers) Maybe we should specify in the commit that this is not a security fix but a normal bug fix But the code is buggy if part of the valid API input range results in undefined behavior thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
