diracdec: prevent overflow in data_unit_size check

buf_idx + data_unit_size can overflow, causing the '> buf_size' check to wrongly fail. This causes a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> 2015-05-05 21:33:08 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2015-06-01 23:25:22 +0200
commit: 10429a5284cd820c0a641622749b07dbc02d703f (patch)
tree: d57fbb17ec1dbb6aaadab7bcf10bf40c6d3ca5c9
parent: f9f1c50b41bfd42b14c11fcbf43ecc1303da3a86 (diff)
download: ffmpeg-10429a5284cd820c0a641622749b07dbc02d703f.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 5f3cc9eeb5..a6b52e0016 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1939,8 +1939,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             break;
 
         data_unit_size = AV_RB32(buf+buf_idx+5);
-        if (buf_idx + data_unit_size > buf_size || !data_unit_size) {
-            if(buf_idx + data_unit_size > buf_size)
+        if (data_unit_size > buf_size - buf_idx || !data_unit_size) {
+            if(data_unit_size > buf_size - buf_idx)
             av_log(s->avctx, AV_LOG_ERROR,
                    "Data unit with size %d is larger than input buffer, discarding\n",
                    data_unit_size);
author	Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>	2015-05-05 21:33:08 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2015-06-01 23:25:22 +0200
commit	10429a5284cd820c0a641622749b07dbc02d703f (patch)
tree	d57fbb17ec1dbb6aaadab7bcf10bf40c6d3ca5c9
parent	f9f1c50b41bfd42b14c11fcbf43ecc1303da3a86 (diff)
download	ffmpeg-10429a5284cd820c0a641622749b07dbc02d703f.tar.gz