diracdec: avoid overflow of bytes*8 in decode_lowdelay
authorAndreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Tue, 5 May 2015 20:10:44 +0000 (22:10 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 21 May 2015 18:43:37 +0000 (20:43 +0200)
If bytes is large enough, bytes*8 can overflow and become negative.

In that case 'bufsize -= bytes*8' causes bufsize to increase instead of
decrease.

This leads to a segmentation fault.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/diracdec.c

index 09ca077..edb56a6 100644 (file)
@@ -799,7 +799,10 @@ static void decode_lowdelay(DiracContext *s)
             slice_num++;
 
             buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
         }
 
     avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,