diff options
| author | Ganesh Ajjanagadde <gajjanag@gmail.com> | 2016-02-22 23:21:58 -0500 |
|---|---|---|
| committer | Ganesh Ajjanagadde <gajjanag@gmail.com> | 2016-02-23 20:37:11 -0500 |
| commit | e86444b19d0b63c098298243fb20fd577f34cf34 (patch) | |
| tree | 74439a4450a2cb0373f85ed16f94f995fa3f4acf | |
| parent | 67e5bd0c501f7568fc8d93284d0f7eb40663ab06 (diff) | |
| download | ffmpeg-e86444b19d0b63c098298243fb20fd577f34cf34.tar.gz | |
lavc/utvideodec: prevent possible signed overflow
Doing slice_end - slice_start is unsafe and can lead to undefined behavior
until slice_end has been properly sanitized.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Ganesh Ajjanagadde <gajjanag@gmail.com>
| -rw-r--r-- | libavcodec/utvideodec.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 760d9e5a7f..c31416b21b 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -356,12 +356,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, slice_end = 0; for (j = 0; j < c->slices; j++) { slice_end = bytestream2_get_le32u(&gb); - slice_size = slice_end - slice_start; - if (slice_end < 0 || slice_size < 0 || + if (slice_end < 0 || slice_end < slice_start || bytestream2_get_bytes_left(&gb) < slice_end) { av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); return AVERROR_INVALIDDATA; } + slice_size = slice_end - slice_start; slice_start = slice_end; max_slice_size = FFMAX(max_slice_size, slice_size); } |