[FFmpeg-devel] [PATCH] lavc/utvideodec: prevent possible signed overflow

Ganesh Ajjanagadde gajjanag at gmail.com
Tue Feb 23 05:34:19 CET 2016


Doing slice_end - slice_start is unsafe and can lead to undefined behavior
until slice_end has been properly sanitized.

Signed-off-by: Ganesh Ajjanagadde <gajjanag at gmail.com>
---
 libavcodec/utvideodec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 760d9e5..c31416b 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -356,12 +356,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         slice_end   = 0;
         for (j = 0; j < c->slices; j++) {
             slice_end   = bytestream2_get_le32u(&gb);
-            slice_size  = slice_end - slice_start;
-            if (slice_end < 0 || slice_size < 0 ||
+            if (slice_end < 0 || slice_end < slice_start ||
                 bytestream2_get_bytes_left(&gb) < slice_end) {
                 av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                 return AVERROR_INVALIDDATA;
             }
+            slice_size  = slice_end - slice_start;
             slice_start = slice_end;
             max_slice_size = FFMAX(max_slice_size, slice_size);
         }
-- 
2.7.1



More information about the ffmpeg-devel mailing list