On Sat, Jul 12, 2014 at 12:06:29AM +0200, Katerina Barone-Adesi wrote: > The size variable is (correctly) unsigned, but is passed to several functions > which take signed parameters, such as avio_read and av_malloc, sometimes > after having numbers added to it.
av_malloc takes a size_t parameter. > --- a/libavformat/apetag.c > +++ b/libavformat/apetag.c > @@ -57,8 +57,8 @@ static int ape_tag_read_field(AVFormatContext *s) > av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); > return -1; > } > - if (size >= UINT_MAX) > - return -1; > + if (size > (unsigned) INT32_MAX - FFMAX(1, FF_INPUT_BUFFER_PADDING_SIZE)) > + return AVERROR_INVALIDDATA; Why not UINT32_MAX instead of casting? Diego _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
