avcodec/dirac_arith: fix integer overflow

Fixes: asan_heap-oob_1078676_9_008.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 39680caceebfc6abf09b17032048752c014e57a8) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-10-28 02:14:41 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-10-28 15:00:05 +0100
commit: e26fd791efaa52f825903be6e41d44fbaf40aadb (patch)
tree: 20ab75668314650eb8a7ebdda762a0fcf94e66f9
parent: ad98b2891cea0276323ae1769ba6a6128855c316 (diff)
download: ffmpeg-e26fd791efaa52f825903be6e41d44fbaf40aadb.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h
index 089c71a698..a1fa96b5bc 100644
--- a/libavcodec/dirac_arith.h
+++ b/libavcodec/dirac_arith.h
@@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c
 {
     int ret = 1;
     while (!dirac_get_arith_bit(c, follow_ctx)) {
+        if (ret >= 0x40000000) {
+            av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n");
+            return -1;
+        }
         ret <<= 1;
         ret += dirac_get_arith_bit(c, data_ctx);
         follow_ctx = ff_dirac_next_ctx[follow_ctx];
author	Michael Niedermayer <michaelni@gmx.at>	2014-10-28 02:14:41 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-10-28 15:00:05 +0100
commit	e26fd791efaa52f825903be6e41d44fbaf40aadb (patch)
tree	20ab75668314650eb8a7ebdda762a0fcf94e66f9
parent	ad98b2891cea0276323ae1769ba6a6128855c316 (diff)
download	ffmpeg-e26fd791efaa52f825903be6e41d44fbaf40aadb.tar.gz