virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

lavc/utvideodec: prevent possible signed overflow

Browse Source 
Doing slice_end - slice_start is unsafe and can lead to undefined behavior
until slice_end has been properly sanitized.

Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Ganesh Ajjanagadde <gajjanag@gmail.com>
This commit is contained in:
Ganesh Ajjanagadde 2016-02-22 23:21:58 -05:00
parent 67e5bd0c50
commit e86444b19d
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/utvideodec.c
View File

@ -356,12 +356,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
slice_end = 0; slice_end = 0;
for (j = 0; j < c->slices; j++) { for (j = 0; j < c->slices; j++) {
slice_end = bytestream2_get_le32u(&gb); slice_end = bytestream2_get_le32u(&gb);
slice_size = slice_end - slice_start; if (slice_end < 0 || slice_end < slice_start ||
if (slice_end < 0 || slice_size < 0 ||
bytestream2_get_bytes_left(&gb) < slice_end) { bytestream2_get_bytes_left(&gb) < slice_end) {
av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
slice_size = slice_end - slice_start;
slice_start = slice_end; slice_start = slice_end;
max_slice_size = FFMAX(max_slice_size, slice_size); max_slice_size = FFMAX(max_slice_size, slice_size);
} }