On 2025-08-14 18:44 +0200, Michael Niedermayer wrote: > On Thu, Aug 14, 2025 at 04:18:03PM +0200, Nicolas George wrote: > > Kieran Kunhya via ffmpeg-devel (HE12025-08-14): > > > I don't think we should partake in this "security vulnerability farming" > > > exercise. This isn't a security issue and it spams the code with integer > > > overflow checks to fix a theoretical issue. > > > > This is my take on this kind of “bugs” too. > > I have no oppinion on this, but if INT_MAX hours > gives undefined behavior then the API documentation has to exclude that > as valid input range and all callers must be checked. > (which may imply equivalent checks in some callers) > > Maybe we should specify in the commit that this is not a security fix > but a normal bug fix > > But the code is buggy if part of the valid API input range results in > undefined behavior
I would say invoking UB should be avoided. I agree with Michael we should either handle it or improve the documentation accordingly so users can find out about the limits. Proposed patches look fine to me. If updating the docs is preferred that would also be fine if someone wants to volunteer to do that. Best regards, Alexander _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
