Commit fa463aa8 authored by Andreas Cadhalpun's avatar Andreas Cadhalpun Committed by Anton Khirnov

avpacket: fix size check in packet_alloc

The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE
to -1.

This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32
cannot be represented in type 'int'
Signed-off-by: 's avatarAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: 's avatarAnton Khirnov <anton@khirnov.net>
parent 06628137
......@@ -69,7 +69,7 @@ void av_packet_free(AVPacket **pkt)
static int packet_alloc(AVBufferRef **buf, int size)
{
int ret;
if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
return AVERROR(EINVAL);
ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment