avcodec/cbs: Fix potential overflow

The number of bits in a PutBitContext must fit into an int, yet nothing guaranteed the size argument cbs_write_unit_data() uses in init_put_bits() to be in the range 0..INT_MAX / 8. This has been changed. Furthermore, the check 8 * data_size > data_bit_start that there is data beyond the initial padding when writing mpeg2 or H.264/5 slices could also overflow, so divide it by 8 to get an equivalent check without this problem. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit cda3e8ca04c0e343f5b60fda8fb467936e176f33)
author: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> 2019-11-17 08:34:36 +0100
committer: James Almer <jamrial@gmail.com> 2019-12-31 16:57:37 -0300
commit: 4667920455c0d52c25835ff81098254213f2d018 (patch)
tree: 431dbc0a0d8c4ecdf052e06cf25c8a50d03dd809 /libavcodec/cbs_mpeg2.c
parent: 1cf238d3bfefdfd3345ca262f57e08a798bb0d90 (diff)
download: ffmpeg-4667920455c0d52c25835ff81098254213f2d018.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c
index a49a403b26..98a22e3a68 100644
--- a/libavcodec/cbs_mpeg2.c
+++ b/libavcodec/cbs_mpeg2.c
@@ -301,7 +301,7 @@ static int cbs_mpeg2_write_slice(CodedBitstreamContext *ctx,
         uint8_t *pos = slice->data + slice->data_bit_start / 8;
 
         av_assert0(slice->data_bit_start >= 0 &&
-                   8 * slice->data_size > slice->data_bit_start);
+                   slice->data_size > slice->data_bit_start / 8);
 
         if (slice->data_size * 8 + 8 > put_bits_left(pbc))
             return AVERROR(ENOSPC);
author	Andreas Rheinhardt <andreas.rheinhardt@gmail.com>	2019-11-17 08:34:36 +0100
committer	James Almer <jamrial@gmail.com>	2019-12-31 16:57:37 -0300
commit	4667920455c0d52c25835ff81098254213f2d018 (patch)
tree	431dbc0a0d8c4ecdf052e06cf25c8a50d03dd809 /libavcodec/cbs_mpeg2.c
parent	1cf238d3bfefdfd3345ca262f57e08a798bb0d90 (diff)
download	ffmpeg-4667920455c0d52c25835ff81098254213f2d018.tar.gz