diff options
| author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-11-06 21:04:34 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-11-12 02:55:47 +0100 |
| commit | cd8bedb9fa7c3d04288bf57b64081b4a89aefb4d (patch) | |
| tree | a97b5b33c5df80bb6ac71bee7a320e2467d4abe9 | |
| parent | d332aa6ec678e5e9630710a049eee36a91127f8c (diff) | |
| download | ffmpeg-cd8bedb9fa7c3d04288bf57b64081b4a89aefb4d.tar.gz | |
jvdec: avoid unsigned overflow in comparison
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/jvdec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 64d31e0ee6..103507df4c 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct JVDemuxContext { static int read_probe(AVProbeData *pd) { - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; |