[FFmpeg-cvslog] jvdec: avoid unsigned overflow in comparison
Andreas Cadhalpun
git at videolan.org
Thu Nov 26 01:50:40 CET 2015
ffmpeg | branch: release/2.5 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Fri Nov 6 21:04:34 2015 +0100| [4636eb8968807fc41154b361383b8df4f1b28984] | committer: Andreas Cadhalpun
jvdec: avoid unsigned overflow in comparison
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4636eb8968807fc41154b361383b8df4f1b28984
---
libavformat/jvdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 21eb14d..9053c61 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -54,7 +54,7 @@ typedef struct {
static int read_probe(AVProbeData *pd)
{
- if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 &&
+ if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size &&
!memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
return AVPROBE_SCORE_MAX;
return 0;
More information about the ffmpeg-cvslog
mailing list