utvideodec: Prevent possible signed overflow

Doing slice_end - slice_start is unsafe and can lead to undefined behavior until slice_end has been properly sanitized. Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Ganesh Ajjanagadde <gajjanag@gmail.com> Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Ganesh Ajjanagadde <gajjanag@gmail.com> 2016-02-22 23:21:58 -0500
committer: Luca Barbato <lu_zero@gentoo.org> 2017-04-13 13:37:10 +0200
commit: 1fe858136b315796dd5349f3b4448a29d1bd6fa1 (patch)
tree: 07a2f8645e901321eea3e072f30303919f7c2168
parent: 4d4d7cf9d539a053f531f662a972b23d335738eb (diff)
download: ffmpeg-1fe858136b315796dd5349f3b4448a29d1bd6fa1.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 808e3be067..2aaf861e62 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -361,12 +361,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         slice_end   = 0;
         for (j = 0; j < c->slices; j++) {
             slice_end   = bytestream2_get_le32u(&gb);
-            slice_size  = slice_end - slice_start;
-            if (slice_end < 0 || slice_size < 0 ||
+            if (slice_end < 0 || slice_end < slice_start ||
                 bytestream2_get_bytes_left(&gb) < slice_end) {
                 av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                 return AVERROR_INVALIDDATA;
             }
+            slice_size  = slice_end - slice_start;
             slice_start = slice_end;
             max_slice_size = FFMAX(max_slice_size, slice_size);
         }
author	Ganesh Ajjanagadde <gajjanag@gmail.com>	2016-02-22 23:21:58 -0500
committer	Luca Barbato <lu_zero@gentoo.org>	2017-04-13 13:37:10 +0200
commit	1fe858136b315796dd5349f3b4448a29d1bd6fa1 (patch)
tree	07a2f8645e901321eea3e072f30303919f7c2168
parent	4d4d7cf9d539a053f531f662a972b23d335738eb (diff)
download	ffmpeg-1fe858136b315796dd5349f3b4448a29d1bd6fa1.tar.gz