diff options
| author | Andreas Cadhalpun <[email protected]> | 2015-05-05 22:10:44 +0200 |
|---|---|---|
| committer | Michael Niedermayer <[email protected]> | 2015-05-06 00:28:52 +0200 |
| commit | 9e66b39aa87eb653a6e5d15f70b792ccbf719de7 (patch) | |
| tree | f2dd47872ffcf4514c3040fe27ed7bb6053bdb74 | |
| parent | af6739d6daf747778996c832a1d8b933cab03dd3 (diff) | |
diracdec: avoid overflow of bytes*8 in decode_lowdelay
If bytes is large enough, bytes*8 can overflow and become negative.
In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.
This leads to a segmentation fault.
Signed-off-by: Andreas Cadhalpun <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
| -rw-r--r-- | libavcodec/diracdec.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 4230a06e32..adbe331e95 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -801,7 +801,10 @@ static int decode_lowdelay(DiracContext *s) slice_num++; buf += bytes; - bufsize -= bytes*8; + if (bufsize/8 >= bytes) + bufsize -= bytes*8; + else + bufsize = 0; } avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num, |