[vlc-devel] [PATCH v3 04/10] core: use refcounter helper for pictures

Romain Vimont rom1v at videolabs.io
Fri Jul 6 20:05:21 CEST 2018

On Fri, Jul 06, 2018 at 07:40:51PM +0300, Rémi Denis-Courmont wrote:
> Le keskiviikkona 4. heinäkuuta 2018, 12.17.58 EEST Romain Vimont a écrit :
> > On Wed, Jul 04, 2018 at 12:02:45PM +0300, Rémi Denis-Courmont wrote:
> > > I never said that uint was enough for anything
> > 
> > Is uint not enough for normal usage (some objects are intended to be
> > refcounted many many times)
> By that argument, you could use unsigned int instead of size_t and yet you 
> don't. I don't see how you can ensure less than 1<<32 references on 64-bits 
> system in the general case.
> > or not enough as a security reason against malicious usage?
> Again, the whole point of Elena's refcount_t in kernel is that 32-bits 
> overflow causes security issues, notably use after free.
> I don't know why the kernel decided to use more complex code to prevent 
> overflow, rather than simply switch to ulong. Probably because of 32-bits 
> platforms and/or to save comparatively expensive kernel memory.

The hardening against refcount overflow is intented to protect against
exploitation (by use-after-free) of bugs, like a missing refcount
decrement, so a malicious program could create many instances to make it
overflow and exploit the bug.


However, IMO, willingly keeping 1<<32 refs to an object is never
expected (it would be a design bug).

We could decide to harden refcounts (this is not the purpose of this
patchset). In that case, it should also apply to picture pool: the
number of refs is expected to be bounded, but refcount overflow protects
against exploitation of bugs.

More information about the vlc-devel mailing list