diracdec: avoid overflow of bytes*8 in decode_lowdelay

If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diracdec: avoid overflow of bytes*8 in decode_lowdelay
If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
9e66b39a · Andreas Cadhalpun · Michael Niedermayer · af6739d6 · 9e66b39a
Commit 9e66b39a authored May 05, 2015 by Andreas Cadhalpun Committed by Michael Niedermayer May 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

diracdec.c libavcodec/diracdec.c +4 -1

No files found.
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -801,7 +801,10 @@ static int decode_lowdelay(DiracContext *s)
            slice_num++;

            buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
        }

    avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,