[FFmpeg-devel] [PATCH] diracdec: prevent overflow in data_unit_size check
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Tue May 5 21:33:08 CEST 2015
buf_idx + data_unit_size can overflow, causing the '> buf_size' check to
wrongly fail.
This causes a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavcodec/diracdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 05e954b..0453a97 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1937,8 +1937,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
break;
data_unit_size = AV_RB32(buf+buf_idx+5);
- if (buf_idx + data_unit_size > buf_size || !data_unit_size) {
- if(buf_idx + data_unit_size > buf_size)
+ if (data_unit_size > buf_size - buf_idx || !data_unit_size) {
+ if(data_unit_size > buf_size - buf_idx)
av_log(s->avctx, AV_LOG_ERROR,
"Data unit with size %d is larger than input buffer, discarding\n",
data_unit_size);
--
2.1.4
More information about the ffmpeg-devel
mailing list