avpacket: fix size check in packet_alloc
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 5 Jan 2016 12:01:53 +0000 (13:01 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 5 Jan 2016 21:30:50 +0000 (22:30 +0100)
The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE
to -1.

This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32
cannot be represented in type 'int'

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/avpacket.c

index 97c12b5..4901d36 100644 (file)
@@ -71,7 +71,7 @@ void av_packet_free(AVPacket **pkt)
 static int packet_alloc(AVBufferRef **buf, int size)
 {
     int ret;
-    if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
+    if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
         return AVERROR(EINVAL);
 
     ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);