On Thu, Aug 14, 2025 at 04:18:03PM +0200, Nicolas George wrote:
> Kieran Kunhya via ffmpeg-devel (HE12025-08-14):
> > I don't think we should partake in this "security vulnerability farming"
> > exercise. This isn't a security issue and it spams the code with integer
> > overflow checks to fix a theoretical issue.
> 
> This is my take on this kind of “bugs” too.

I have no oppinion on this, but if INT_MAX hours
gives undefined behavior then the API documentation has to exclude that
as valid input range and all callers must be checked.
(which may imply equivalent checks in some callers)

Maybe we should specify in the commit that this is not a security fix
but a normal bug fix

But the code is buggy if part of the valid API input range results in
undefined behavior

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin