On Thu, 14 Aug 2025, 12:53 Alexander Strasser via ffmpeg-devel, < ffmpeg-devel@ffmpeg.org> wrote:
> On 2025-08-14 18:44 +0200, Michael Niedermayer wrote: > > On Thu, Aug 14, 2025 at 04:18:03PM +0200, Nicolas George wrote: > > > Kieran Kunhya via ffmpeg-devel (HE12025-08-14): > > > > I don't think we should partake in this "security vulnerability > farming" > > > > exercise. This isn't a security issue and it spams the code with > integer > > > > overflow checks to fix a theoretical issue. > > > > > > This is my take on this kind of “bugs” too. > > > > I have no oppinion on this, but if INT_MAX hours > > gives undefined behavior then the API documentation has to exclude that > > as valid input range and all callers must be checked. > > (which may imply equivalent checks in some callers) > > > > Maybe we should specify in the commit that this is not a security fix > > but a normal bug fix > > > > But the code is buggy if part of the valid API input range results in > > undefined behavior > > I would say invoking UB should be avoided. > > I agree with Michael we should either handle it or improve the > documentation accordingly so users can find out about the limits. > > Proposed patches look fine to me. > > If updating the docs is preferred that would also be fine if > someone wants to volunteer to do that. > If I were near a computer i would do that instead of spamming the code with "fixes" for theoretical issues. Kieran > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
