avcodec/dirac_arith: fix integer overflow

Fixes: asan_heap-oob_1078676_9_008.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 39680caceebfc6abf09b17032048752c014e57a8) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-10-28 02:14:41 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-11-02 02:20:10 +0100
commit: 2cf83677b31453868b090e898bb66809b8d18b63 (patch)
tree: 9650ad60fec4999a8ea27f3e69ae0fc0240941c5
parent: c0be9d7264400f8eb8648fd0b0ad00819e376163 (diff)
download: ffmpeg-2cf83677b31453868b090e898bb66809b8d18b63.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h
index 089c71a698..a1fa96b5bc 100644
--- a/libavcodec/dirac_arith.h
+++ b/libavcodec/dirac_arith.h
@@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c
 {
     int ret = 1;
     while (!dirac_get_arith_bit(c, follow_ctx)) {
+        if (ret >= 0x40000000) {
+            av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n");
+            return -1;
+        }
         ret <<= 1;
         ret += dirac_get_arith_bit(c, data_ctx);
         follow_ctx = ff_dirac_next_ctx[follow_ctx];
author	Michael Niedermayer <michaelni@gmx.at>	2014-10-28 02:14:41 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-11-02 02:20:10 +0100
commit	2cf83677b31453868b090e898bb66809b8d18b63 (patch)
tree	9650ad60fec4999a8ea27f3e69ae0fc0240941c5
parent	c0be9d7264400f8eb8648fd0b0ad00819e376163 (diff)
download	ffmpeg-2cf83677b31453868b090e898bb66809b8d18b63.tar.gz