diff options
author | Martin Boehme <boehme@inb.uni-luebeck.de> | 2005-07-25 23:07:27 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2005-07-25 23:07:27 +0000 |
commit | acb22f9391039f8dde736f9453f351f58b04808d (patch) | |
tree | e59b28c2561dd4c8a5de6564a5cde75725c7d1d1 /libavcodec | |
parent | d8cbeba1563f3e481aba7a4c72fa54c9b961ebdc (diff) | |
download | ffmpeg-acb22f9391039f8dde736f9453f351f58b04808d.tar.gz |
Fix for overflow issue in mpegvideo.c patch by (Martin Boehme: boehme, inb uni-luebeck de)
this integer overflow might lead to the execution of arbitrary code during encoding with threads
Originally committed as revision 4474 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/mpegvideo.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index a6017136e1..87a56ffa56 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -2316,8 +2316,8 @@ int MPV_encode_picture(AVCodecContext *avctx, int start_y= s->thread_context[i]->start_mb_y; int end_y= s->thread_context[i]-> end_mb_y; int h= s->mb_height; - uint8_t *start= buf + buf_size*start_y/h; - uint8_t *end = buf + buf_size* end_y/h; + uint8_t *start= buf + (size_t)(((int64_t) buf_size)*start_y/h); + uint8_t *end = buf + (size_t)(((int64_t) buf_size)* end_y/h); init_put_bits(&s->thread_context[i]->pb, start, end - start); } |