[FFmpeg-cvslog] lavc/utvideodec: prevent possible signed overflow
Ganesh Ajjanagadde
git at videolan.org
Wed Feb 24 02:43:19 CET 2016
ffmpeg | branch: master | Ganesh Ajjanagadde <gajjanag at gmail.com> | Mon Feb 22 23:21:58 2016 -0500| [e86444b19d0b63c098298243fb20fd577f34cf34] | committer: Ganesh Ajjanagadde
lavc/utvideodec: prevent possible signed overflow
Doing slice_end - slice_start is unsafe and can lead to undefined behavior
until slice_end has been properly sanitized.
Reviewed-by: Ronald S. Bultje <rsbultje at gmail.com>
Signed-off-by: Ganesh Ajjanagadde <gajjanag at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e86444b19d0b63c098298243fb20fd577f34cf34
---
libavcodec/utvideodec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 760d9e5..c31416b 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -356,12 +356,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
slice_end = 0;
for (j = 0; j < c->slices; j++) {
slice_end = bytestream2_get_le32u(&gb);
- slice_size = slice_end - slice_start;
- if (slice_end < 0 || slice_size < 0 ||
+ if (slice_end < 0 || slice_end < slice_start ||
bytestream2_get_bytes_left(&gb) < slice_end) {
av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
return AVERROR_INVALIDDATA;
}
+ slice_size = slice_end - slice_start;
slice_start = slice_end;
max_slice_size = FFMAX(max_slice_size, slice_size);
}
More information about the ffmpeg-cvslog
mailing list