rtmp: fix multiple broken overflow checks

Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Xi Wang <xi.wang@gmail.com> 2013-01-22 17:49:29 -0500
committer: Michael Niedermayer <michaelni@gmx.at> 2013-02-07 01:00:01 +0100
commit: 7df878ac15077ccb1a4763fc285bd7e02b7b6a1f (patch)
tree: 5296943ceb7e79898662c37a846ac24d51b7a418 /libavformat
parent: bc58fe0309a075b6f75aeef948a55eede927591c (diff)
download: ffmpeg-7df878ac15077ccb1a4763fc285bd7e02b7b6a1f.tar.gz
1 files changed, 6 insertions, 6 deletions
diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index b607d5b5e2..975ec8e2d1 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -343,11 +343,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
                 data++;
                 break;
             }
-            if (data + size >= data_end || data + size < data)
+            if (size < 0 || size >= data_end - data)
                 return -1;
             data += size;
             t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || data + t >= data_end)
+            if (t < 0 || t >= data_end - data)
                 return -1;
             data += t;
         }
@@ -376,7 +376,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
         int size = bytestream_get_be16(&data);
         if (!size)
             break;
-        if (data + size >= data_end || data + size < data)
+        if (size < 0 || size >= data_end - data)
             return -1;
         data += size;
         if (size == namelen && !memcmp(data-size, name, namelen)) {
@@ -397,7 +397,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
             return 0;
         }
         len = ff_amf_tag_size(data, data_end);
-        if (len < 0 || data + len >= data_end || data + len < data)
+        if (len < 0 || len >= data_end - data)
             return -1;
         data += len;
     }
@@ -468,13 +468,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
                 data++;
                 break;
             }
-            if (data + size >= data_end || data + size < data)
+            if (size < 0 || size >= data_end - data)
                 return;
             data += size;
             av_log(ctx, AV_LOG_DEBUG, "  %s: ", buf);
             ff_amf_tag_contents(ctx, data, data_end);
             t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || data + t >= data_end)
+            if (t < 0 || t >= data_end - data)
                 return;
             data += t;
         }
author	Xi Wang <xi.wang@gmail.com>	2013-01-22 17:49:29 -0500
committer	Michael Niedermayer <michaelni@gmx.at>	2013-02-07 01:00:01 +0100
commit	7df878ac15077ccb1a4763fc285bd7e02b7b6a1f (patch)
tree	5296943ceb7e79898662c37a846ac24d51b7a418 /libavformat
parent	bc58fe0309a075b6f75aeef948a55eede927591c (diff)
download	ffmpeg-7df878ac15077ccb1a4763fc285bd7e02b7b6a1f.tar.gz