rtmp: fix multiple broken overflow checks

Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Martin Storsjö <martin@martin.st>

rtmp: fix multiple broken overflow checks
Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Martin Storsjö <martin@martin.st>
3cff5336 · Xi Wang · Martin Storsjö · 2e413003 · 3cff5336
Commit 3cff5336 authored Jan 22, 2013 by Xi Wang Committed by Martin Storsjö Jan 23, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

rtmppkt.c libavformat/rtmppkt.c +6 -6

No files found.
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -356,11 +356,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
                data++;
                break;
            }
-            if (data + size >= data_end || data + size < data)
+            if (size < 0 || size >= data_end - data)
                return -1;
            data += size;
            t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || data + t >= data_end)
+            if (t < 0 || t >= data_end - data)
                return -1;
            data += t;
        }
@@ -389,7 +389,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
        int size = bytestream_get_be16(&data);
        if (!size)
            break;
-        if (data + size >= data_end || data + size < data)
+        if (size < 0 || size >= data_end - data)
            return -1;
        data += size;
        if (size == namelen && !memcmp(data-size, name, namelen)) {
@@ -410,7 +410,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
            return 0;
        }
        len = ff_amf_tag_size(data, data_end);
-        if (len < 0 || data + len >= data_end || data + len < data)
+        if (len < 0 || len >= data_end - data)
            return -1;
        data += len;
    }
@@ -481,13 +481,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
                data++;
                break;
            }
-            if (data + size >= data_end || data + size < data)
+            if (size < 0 || size >= data_end - data)
                return;
            data += size;
            av_log(ctx, AV_LOG_DEBUG, "  %s: ", buf);
            ff_amf_tag_contents(ctx, data, data_end);
            t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || data + t >= data_end)
+            if (t < 0 || t >= data_end - data)
                return;
            data += t;
        }