diracdec: prevent overflow in data_unit_size check

buf_idx + data_unit_size can overflow, causing the '> buf_size' check to wrongly fail. This causes a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diracdec: prevent overflow in data_unit_size check
buf_idx + data_unit_size can overflow, causing the '> buf_size' check to wrongly fail. This causes a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
984f50de · Andreas Cadhalpun · Michael Niedermayer · ed68fccf · 984f50de
Commit 984f50de authored May 05, 2015 by Andreas Cadhalpun Committed by Michael Niedermayer May 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

diracdec.c libavcodec/diracdec.c +2 -2

No files found.
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1937,8 +1937,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            break;

        data_unit_size = AV_RB32(buf+buf_idx+5);
-        if (buf_idx + data_unit_size > buf_size || !data_unit_size) {
-            if(buf_idx + data_unit_size > buf_size)
+        if (data_unit_size > buf_size - buf_idx || !data_unit_size) {
+            if(data_unit_size > buf_size - buf_idx)
            av_log(s->avctx, AV_LOG_ERROR,
                   "Data unit with size %d is larger than input buffer, discarding\n",
                   data_unit_size);