On Thu, Feb 15, 2024 at 12:07:05PM -0800, Dale Curtis wrote:
> On Mon, Feb 5, 2024 at 12:07 PM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > assuming atom.size is an arbitrary 64bit value
> > then the value of FFMIN() is also 64bit but entries is unsigned 32bit,
> > this truncation
> > would allow setting entries to values outside whats expected from FFMIN()
> > also we seem to disalllow entries == 0 before this
> > and its maybe possible to set entries = 0 here, bypassing the == 0 check
> > before
> 
> 
> Thanks. I've moved the clamp up to before the zero check. The only way a
> bad 64-bit value could get in is if atom.size < 8, which I didn't think was
> possible, but I've added a FFMAX(0,) there too.

[...]
> +        FFMIN(avio_rb32(pb),
> +              FFMAX(0, (atom.size - 8) /
> +                           (atom.type == MKTAG('s', 't', 'c', 'o') ? 4 : 8)));

FFMIN/MAX can evaluate their arguments multiple times so avio_rb32() might
be executed more than once

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."