lavc/utvideodec: prevent possible signed overflow

Doing slice_end - slice_start is unsafe and can lead to undefined behavior until slice_end has been properly sanitized. Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Ganesh Ajjanagadde <gajjanag@gmail.com>

lavc/utvideodec: prevent possible signed overflow
Doing slice_end - slice_start is unsafe and can lead to undefined behavior until slice_end has been properly sanitized. Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Ganesh Ajjanagadde <gajjanag@gmail.com>
e86444b1 · Ganesh Ajjanagadde · 67e5bd0c · e86444b1
Commit e86444b1 authored Feb 23, 2016 by Ganesh Ajjanagadde
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

utvideodec.c libavcodec/utvideodec.c +2 -2

No files found.
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -356,12 +356,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
        slice_end   = 0;
        for (j = 0; j < c->slices; j++) {
            slice_end   = bytestream2_get_le32u(&gb);
-            slice_size  = slice_end - slice_start;
-            if (slice_end < 0 || slice_size < 0 ||
+            if (slice_end < 0 || slice_end < slice_start ||
                bytestream2_get_bytes_left(&gb) < slice_end) {
                av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                return AVERROR_INVALIDDATA;
            }
+            slice_size  = slice_end - slice_start;
            slice_start = slice_end;
            max_slice_size = FFMAX(max_slice_size, slice_size);
        }