[FFmpeg-cvslog] diracdec: avoid overflow of bytes*8 in decode_lowdelay

Andreas Cadhalpun git at videolan.org
Tue Jun 2 00:50:18 CEST 2015


ffmpeg | branch: release/2.4 | Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> | Tue May  5 22:10:44 2015 +0200| [68c11b665458bf43d5f751131c43c6e402e5e02f] | committer: Michael Niedermayer

diracdec: avoid overflow of bytes*8 in decode_lowdelay

If bytes is large enough, bytes*8 can overflow and become negative.

In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.

This leads to a segmentation fault.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=68c11b665458bf43d5f751131c43c6e402e5e02f
---

 libavcodec/diracdec.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index a6b52e0..533f37b 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -799,7 +799,10 @@ static void decode_lowdelay(DiracContext *s)
             slice_num++;
 
             buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
         }
 
     avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,



More information about the ffmpeg-cvslog mailing list