From: Kieran Kunhya via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Kieran Kunhya <kieran618@googlemail.com>,
Alexander Strasser <eclipse7@gmx.net>
Subject: Re: [FFmpeg-devel] [PATCH] avutil/timecode: Check for integer overflow in av_timecode_init_from_components() (PR #20236)
Date: Fri, 15 Aug 2025 02:48:25 -1000
Message-ID: <CABGuwEm0efw72vpt0F48mmouhwyL71VHVTBnti1JLeiv9Ow9wg@mail.gmail.com> (raw)
In-Reply-To: <aJ5o0uYVCWU4ylsf@metallschleim.local>
On Thu, 14 Aug 2025, 12:53 Alexander Strasser via ffmpeg-devel, <
ffmpeg-devel@ffmpeg.org> wrote:
> On 2025-08-14 18:44 +0200, Michael Niedermayer wrote:
> > On Thu, Aug 14, 2025 at 04:18:03PM +0200, Nicolas George wrote:
> > > Kieran Kunhya via ffmpeg-devel (HE12025-08-14):
> > > > I don't think we should partake in this "security vulnerability
> farming"
> > > > exercise. This isn't a security issue and it spams the code with
> integer
> > > > overflow checks to fix a theoretical issue.
> > >
> > > This is my take on this kind of “bugs” too.
> >
> > I have no oppinion on this, but if INT_MAX hours
> > gives undefined behavior then the API documentation has to exclude that
> > as valid input range and all callers must be checked.
> > (which may imply equivalent checks in some callers)
> >
> > Maybe we should specify in the commit that this is not a security fix
> > but a normal bug fix
> >
> > But the code is buggy if part of the valid API input range results in
> > undefined behavior
>
> I would say invoking UB should be avoided.
>
> I agree with Michael we should either handle it or improve the
> documentation accordingly so users can find out about the limits.
>
> Proposed patches look fine to me.
>
> If updating the docs is preferred that would also be fine if
> someone wants to volunteer to do that.
>
If I were near a computer i would do that instead of spamming the code with
"fixes" for theoretical issues.
Kieran
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-08-15 12:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250814002549.6431A68CFFE@ffbox0-bg.ffmpeg.org>
2025-08-14 1:36 ` Kieran Kunhya via ffmpeg-devel
2025-08-14 10:07 ` Michael Niedermayer
2025-08-14 14:14 ` Kieran Kunhya via ffmpeg-devel
2025-08-14 14:18 ` Nicolas George
2025-08-14 16:44 ` Michael Niedermayer
2025-08-14 22:53 ` Alexander Strasser via ffmpeg-devel
2025-08-15 12:48 ` Kieran Kunhya via ffmpeg-devel [this message]
2025-08-14 0:25 michaelni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABGuwEm0efw72vpt0F48mmouhwyL71VHVTBnti1JLeiv9Ow9wg@mail.gmail.com \
--to=ffmpeg-devel@ffmpeg.org \
--cc=eclipse7@gmx.net \
--cc=kieran618@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git