[FFmpeg-cvslog] rtpenc: fix overflow checking in avc_mp4_find_startcode()

Wed Jan 23 18:29:51 CET 2013

ffmpeg | branch: master | Xi Wang <xi.wang at gmail.com> | Tue Jan 22 20:58:07 2013 -0500| [cf29f49d8ae00bb153c24b5c8a8f6cb150a91de8] | committer: Martin Storsjö

rtpenc: fix overflow checking in avc_mp4_find_startcode()

The check `start + res < start' is broken since pointer overflow is
undefined behavior in C.  Many compilers such as gcc/clang optimize
away this check.

Use `res > end - start' instead.  Also change `res' to unsigned int
to avoid signed left-shift overflow.

Signed-off-by: Xi Wang <xi.wang at gmail.com>
Signed-off-by: Martin Storsjö <martin at martin.st>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cf29f49d8ae00bb153c24b5c8a8f6cb150a91de8
---

 libavformat/rtpenc_h264.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/rtpenc_h264.c b/libavformat/rtpenc_h264.c
index ac74074..206d9ba 100644
--- a/libavformat/rtpenc_h264.c
+++ b/libavformat/rtpenc_h264.c
@@ -31,14 +31,14 @@
 
 static const uint8_t *avc_mp4_find_startcode(const uint8_t *start, const uint8_t *end, int nal_length_size)
 {
-    int res = 0;
+    unsigned int res = 0;
 
     if (end - start < nal_length_size)
         return NULL;
     while (nal_length_size--)
         res = (res << 8) | *start++;
 
-    if (start + res > end || res < 0 || start + res < start)
+    if (res > end - start)
         return NULL;
 
     return start + res;

