diracdec: avoid overflow of bytes*8 in decode_lowdelay

If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2025-01-13 21:28:01 +02:00 · 2015-05-05 22:10:44 +02:00 · 2015-05-05 22:10:44 +02:00 · 9e66b39aa8
commit 9e66b39aa8
parent af6739d6da
1 changed files with 4 additions and 1 deletions
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@ -801,7 +801,10 @@ static int decode_lowdelay(DiracContext *s)
            slice_num++;

            buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
        }

    avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,