[FFmpeg-cvslog] avpacket: fix size check in packet_alloc

Andreas Cadhalpun git at videolan.org
Tue Jan 5 22:39:45 CET 2016


ffmpeg | branch: master | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Tue Jan  5 13:01:53 2016 +0100| [da3c3c446cb434be9d0025f519e00c2385135c85] | committer: Andreas Cadhalpun

avpacket: fix size check in packet_alloc

The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE
to -1.

This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32
cannot be represented in type 'int'

Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=da3c3c446cb434be9d0025f519e00c2385135c85
---

 libavcodec/avpacket.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index 97c12b5..4901d36 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -71,7 +71,7 @@ void av_packet_free(AVPacket **pkt)
 static int packet_alloc(AVBufferRef **buf, int size)
 {
     int ret;
-    if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
+    if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
         return AVERROR(EINVAL);
 
     ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);



More information about the ffmpeg-cvslog mailing list