[vlc-commits] stream: assert that read size is well defined

[Rémi Denis-Courmont]

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Mon Oct 31 10:00:39 2016 +0200| [3bf8a8ec60e5f97cbfbbe11e7f8c88ecb7935a45] | committer: Rémi Denis-Courmont

stream: assert that read size is well defined

The result of a read operation is a signed size_t, and cannot be
negative (except on error). Thus reading more than SSIZE_MAX bytes at
once is not well defined.

(Note: POSIX marks it as implementation-defined, and we cannot rely on
 much given the different implementations.)

In practice, this is not really a limitation for regular reads as
allocating a contiguous output buffer of more than SSIZE_MAX bytes is
essentially impossible. It can however be a problem when skipping data
(buffer pointer is NULL), especially on 32-bits platforms.

To skip such large amount of data, seeking is recommended instead,
e.g.:

    vlc_stream_Seek(s, vlc_stream_Tell() + skip);

instead of:

    vlc_stream_Read(s, NULL, skip);

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=3bf8a8ec60e5f97cbfbbe11e7f8c88ecb7935a45
---

 src/input/stream.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/input/stream.c b/src/input/stream.c
index 6c614f8..5dd239d 100644
--- a/src/input/stream.c
+++ b/src/input/stream.c
@@ -356,6 +356,8 @@ static ssize_t vlc_stream_ReadRaw(stream_t *s, void *buf, size_t len)
     stream_priv_t *priv = (stream_priv_t *)s;
     ssize_t ret;
 
+    assert(len <= SSIZE_MAX);
+
     if (vlc_killed())
         return 0;