[FFmpeg-cvslog] avpacket: fix size check in packet_alloc
Andreas Cadhalpun
git at videolan.org
Tue Jan 19 08:48:12 CET 2016
ffmpeg | branch: master | Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> | Tue Jan 5 13:05:50 2016 +0100| [fa463aa83a4920b0eed47ad1f79775dfc53d21ec] | committer: Anton Khirnov
avpacket: fix size check in packet_alloc
The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE
to -1.
This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32
cannot be represented in type 'int'
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Anton Khirnov <anton at khirnov.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fa463aa83a4920b0eed47ad1f79775dfc53d21ec
---
libavcodec/avpacket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index 87454d5..3f8e163 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -69,7 +69,7 @@ void av_packet_free(AVPacket **pkt)
static int packet_alloc(AVBufferRef **buf, int size)
{
int ret;
- if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
+ if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
return AVERROR(EINVAL);
ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);
More information about the ffmpeg-cvslog
mailing list