diracdec: avoid overflow of bytes*8 in decode_lowdelay

If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> 2015-05-05 22:10:44 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2015-06-17 21:50:09 +0200
commit: b946f849bb926dcfb67ed76e0bd8fdb1b53519b2 (patch)
tree: b6ccd9d0cd52354a65a546804169cdaf1222f5eb
parent: a64102e25fb94159ee548cb7fb59322770faf7f7 (diff)
download: ffmpeg-b946f849bb926dcfb67ed76e0bd8fdb1b53519b2.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index ebbe80bb3e..c9c43fd969 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -797,7 +797,10 @@ static void decode_lowdelay(DiracContext *s)
             slice_num++;
 
             buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
         }
 
     avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,
author	Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>	2015-05-05 22:10:44 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2015-06-17 21:50:09 +0200
commit	b946f849bb926dcfb67ed76e0bd8fdb1b53519b2 (patch)
tree	b6ccd9d0cd52354a65a546804169cdaf1222f5eb
parent	a64102e25fb94159ee548cb7fb59322770faf7f7 (diff)
download	ffmpeg-b946f849bb926dcfb67ed76e0bd8fdb1b53519b2.tar.gz