jvdec: avoid unsigned overflow in comparison

The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size is 3, the right side overflows leading to a wrong result of the comparison and subsequently a heap buffer overflow. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-11-06 21:04:34 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-11-26 01:38:17 +0100
commit: 79e477823f7fc42912b21991e11fbf4f8966464d (patch)
tree: 2c332332360a64e31c95eadc441a4ebe3e8c9f6d
parent: 2ccab79595ae6a7653e503c82d5efc98a10f2be9 (diff)
download: ffmpeg-79e477823f7fc42912b21991e11fbf4f8966464d.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 21eb14d265..9053c61cf2 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -54,7 +54,7 @@ typedef struct {
 
 static int read_probe(AVProbeData *pd)
 {
-    if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 &&
+    if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size &&
         !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
         return AVPROBE_SCORE_MAX;
     return 0;
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-11-06 21:04:34 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-11-26 01:38:17 +0100
commit	79e477823f7fc42912b21991e11fbf4f8966464d (patch)
tree	2c332332360a64e31c95eadc441a4ebe3e8c9f6d
parent	2ccab79595ae6a7653e503c82d5efc98a10f2be9 (diff)
download	ffmpeg-79e477823f7fc42912b21991e11fbf4f8966464d.tar.gz