[FFmpeg-cvslog] diracdec: prevent overflow in data_unit_size check

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> | Tue May  5 21:33:08 2015 +0200| [e67181a3518f6c6cc687aa5d4d625b067e252ad1] | committer: Michael Niedermayer

diracdec: prevent overflow in data_unit_size check

buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.

This causes a segmentation fault.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e67181a3518f6c6cc687aa5d4d625b067e252ad1
---

 libavcodec/diracdec.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index aa8e2b0..09ca077 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1931,8 +1931,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             break;
 
         data_unit_size = AV_RB32(buf+buf_idx+5);
-        if (buf_idx + data_unit_size > buf_size || !data_unit_size) {
-            if(buf_idx + data_unit_size > buf_size)
+        if (data_unit_size > buf_size - buf_idx || !data_unit_size) {
+            if(data_unit_size > buf_size - buf_idx)
             av_log(s->avctx, AV_LOG_ERROR,
                    "Data unit with size %d is larger than input buffer, discarding\n",
                    data_unit_size);