Re: [libav-devel] [PATCH] Fixed apetag's ape_tag_read_field test.

Sun, 13 Jul 2014 02:05:22 -0700 

> av_malloc takes a size_t parameter.

Yes, mentioning av_malloc was a last-minute mistake while typing the
commit message while tired, after carefully thinking through the patch
itself; it's the only relevant function which uses size_t.
avio_get_str, avio_read, and av_get_packet all take int. The commit
message should be changed. The function ape_tag_read_field itself
includes (non-exhaustively):

size -= avio_get_str(pb, size, filename, sizeof(filename));
ret = av_get_packet(s->pb, &pkt, size);
if (avio_read(pb, st->codec->extradata, size) != size) {

The relevant function prototypes:
libavformat/avio.h:int avio_read(AVIOContext *s, unsigned char *buf, int size);
libavformat/avio.h:int avio_get_str(AVIOContext *pb, int maxlen, char
*buf, int buflen);
libavformat/avformat.h:int av_get_packet(AVIOContext *s, AVPacket
*pkt, int size);


>> --- a/libavformat/apetag.c
>> +++ b/libavformat/apetag.c
>> @@ -57,8 +57,8 @@ static int ape_tag_read_field(AVFormatContext *s)
>>          av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key);
>>          return -1;
>>      }
>> -    if (size >= UINT_MAX)
>> -        return -1;
>> +    if (size > (unsigned) INT32_MAX - FFMAX(1, 
>> FF_INPUT_BUFFER_PADDING_SIZE))
>> +        return AVERROR_INVALIDDATA;
>
> Why not UINT32_MAX instead of casting?
>
> Diego

If the high bit of 'size' is set, the calls to the functions mentioned
above are wrong - at least on platforms where int is a 32-bit signed
type. I specifically want the value INT_MAX, rather than UINT_MAX,
because having the high bit not set *matters* on some platforms.
UINT_MAX and INT_MAX are different numbers, and are not
interchangable.

It turns out the cast is technically unnecessary, other than
documenting intent and allowing one to ignore the rest of this
paragraph. I remembered clause 3 of the integer promotion rules of c99
backwards. 
https://www.securecoding.cert.org/confluence/display/seccode/INT02-C.+Understand+integer+conversion+rules
correctly states "If the operand that has unsigned integer type has
rank greater than or equal to the rank of the type of the other
operand, the operand with signed integer type is converted to the type
of the operand with unsigned integer type."

Kat
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to