avformat/mpc8: fix broken pointer math
authorwm4 <nfxjfg@googlemail.com>
Tue, 3 Feb 2015 18:04:11 +0000 (19:04 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 12 Feb 2015 16:10:36 +0000 (17:10 +0100)
This could overflow and crash at least on 32 bit systems.

Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/mpc8.c

index 722d0ee..6524c7e 100644 (file)
@@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p)
         size = bs_get_v(&bs);
         if (size < 2)
             return 0;
-        if (bs + size - 2 >= bs_end)
+        if (size >= bs_end - bs + 2)
             return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet
         if (header_found) {
             if (size < 11 || size > 28)