On Sat, Jun 07, 2025 at 12:21:43AM +0100, Kieran Kunhya via ffmpeg-devel wrote: > On Sat, 7 Jun 2025, 00:12 Michael Niedermayer, <[email protected]> > wrote: > > > Code like FFMIN(MAX_DURATION_BUFFER_SIZE, avio_size(s->pb)) is not safe > > as FFMIN() is a macro and avio_size() is thus evaluated multiple > > times > > > > CC: Justin Ruggles <[email protected]> > > Signed-off-by: Michael Niedermayer <[email protected]> > > --- > > libavformat/dhav.c | 7 ++++--- > > 1 file changed, 4 insertions(+), 3 deletions(-) > > > > diff --git a/libavformat/dhav.c b/libavformat/dhav.c > > index 5a83a8aea9d..c7e5371636a 100644 > > --- a/libavformat/dhav.c > > +++ b/libavformat/dhav.c > > @@ -246,11 +246,12 @@ static int64_t get_duration(AVFormatContext *s) > > int64_t end_buffer_pos; > > int64_t offset; > > unsigned date; > > + int64_t size = avio_size(s->pb); > > > > if (!s->pb->seekable) > > return 0; > > > > - if (start_pos + 16 > avio_size(s->pb)) > > + if (start_pos + 16 > size) > > return 0; > > > > avio_skip(s->pb, 16); > > @@ -258,13 +259,13 @@ static int64_t get_duration(AVFormatContext *s) > > get_timeinfo(date, &timeinfo); > > start = av_timegm(&timeinfo) * 1000LL; > > > > - end_buffer_size = FFMIN(MAX_DURATION_BUFFER_SIZE, avio_size(s->pb)); > > + end_buffer_size = FFMIN(MAX_DURATION_BUFFER_SIZE, size); > > end_buffer = av_malloc(end_buffer_size); > > if (!end_buffer) { > > avio_seek(s->pb, start_pos, SEEK_SET); > > return 0; > > } > > - end_buffer_pos = avio_size(s->pb) - end_buffer_size; > > + end_buffer_pos = size - end_buffer_size; > > avio_seek(s->pb, end_buffer_pos, SEEK_SET); > > avio_read(s->pb, end_buffer, end_buffer_size); > > > > -- > > 2.49.0 > > > > Can you explain what "not safe" means? > I assume it means avio_size() causes a seek to the end to get the length > but it's not obvious.
if you write
X = FFMIN(1000, avio_size(s->pb))
you dont expect X to be 2000, but it can be, if the filesize changes
between the 2 evaluations
also theres if (start_pos + 16 > avio_size(s->pb))
and that might not hold true either by the later evaluations
does it matter?
void *av_malloc(size_t size)
lets assume this is a 32bit system end_buffer_pos and avio_size is 64bit
we truncate teh mallloc argument
and then here, offset is 64bit
offset = end_buffer_size - 8;
while (offset > 0) {
if (AV_RL32(end_buffer + offset) == MKTAG('d','h','a','v')) {
int64_t seek_back = AV_RL32(end_buffer + offset + 4);
end_pos = end_buffer_pos + offset - seek_back + 8;
break;
} else {
offset -= 9;
}
}
I have not thought very much about this, I just think code like
FFMIN(1000, avio_size(s->pb))
should behave as one would expect from a quick look
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
For a strong democracy, genuine criticism is necessary, allegations benefit
noone, they just cause unnecessary conflicts. - Narendra Modi
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
