jvdec: avoid unsigned overflow in comparison
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fri, 6 Nov 2015 20:04:34 +0000 (21:04 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 7 Nov 2015 13:10:41 +0000 (14:10 +0100)
The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
is 3, the right side overflows leading to a wrong result of the
comparison and subsequently a heap buffer overflow.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/jvdec.c

index 4d4f0c7..a31c723 100644 (file)
@@ -54,7 +54,7 @@ typedef struct JVDemuxContext {
 
 static int read_probe(AVProbeData *pd)
 {
-    if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 &&
+    if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size &&
         !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
         return AVPROBE_SCORE_MAX;
     return 0;