[FFmpeg-cvslog] jvdec: avoid unsigned overflow in comparison

Andreas Cadhalpun git at videolan.org
Thu Nov 26 01:50:40 CET 2015


ffmpeg | branch: release/2.5 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Fri Nov  6 21:04:34 2015 +0100| [4636eb8968807fc41154b361383b8df4f1b28984] | committer: Andreas Cadhalpun

jvdec: avoid unsigned overflow in comparison

The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.

Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4636eb8968807fc41154b361383b8df4f1b28984
---

 libavformat/jvdec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 21eb14d..9053c61 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -54,7 +54,7 @@ typedef struct {
 
 static int read_probe(AVProbeData *pd)
 {
-    if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 &&
+    if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size &&
         !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
         return AVPROBE_SCORE_MAX;
     return 0;



More information about the ffmpeg-cvslog mailing list