From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH] avutil/timecode: Check for integer overflow in av_timecode_init_from_components() (PR #20236)
Date: Thu, 14 Aug 2025 18:44:14 +0200
Message-ID: <20250814164414.GQ29660@pb2> (raw)
In-Reply-To: <aJ3wG9UA6OtjZKHC@phare.normalesup.org>
[-- Attachment #1.1: Type: text/plain, Size: 1033 bytes --]
On Thu, Aug 14, 2025 at 04:18:03PM +0200, Nicolas George wrote:
> Kieran Kunhya via ffmpeg-devel (HE12025-08-14):
> > I don't think we should partake in this "security vulnerability farming"
> > exercise. This isn't a security issue and it spams the code with integer
> > overflow checks to fix a theoretical issue.
>
> This is my take on this kind of “bugs” too.
I have no oppinion on this, but if INT_MAX hours
gives undefined behavior then the API documentation has to exclude that
as valid input range and all callers must be checked.
(which may imply equivalent checks in some callers)
Maybe we should specify in the commit that this is not a security fix
but a normal bug fix
But the code is buggy if part of the valid API input range results in
undefined behavior
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-08-14 16:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250814002549.6431A68CFFE@ffbox0-bg.ffmpeg.org>
2025-08-14 1:36 ` Kieran Kunhya via ffmpeg-devel
2025-08-14 10:07 ` Michael Niedermayer
2025-08-14 14:14 ` Kieran Kunhya via ffmpeg-devel
2025-08-14 14:18 ` Nicolas George
2025-08-14 16:44 ` Michael Niedermayer [this message]
2025-08-14 0:25 michaelni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814164414.GQ29660@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git