avpacket: fix size check in packet_alloc

The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE to -1. This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>

avpacket: fix size check in packet_alloc
The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE to -1. This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>
fa463aa8 · Andreas Cadhalpun · Anton Khirnov · 06628137 · fa463aa8
Commit fa463aa8 authored Jan 05, 2016 by Andreas Cadhalpun Committed by Anton Khirnov Jan 07, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

avpacket.c libavcodec/avpacket.c +1 -1

No files found.
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -69,7 +69,7 @@ void av_packet_free(AVPacket **pkt)
 static int packet_alloc(AVBufferRef **buf, int size)
 {
    int ret;
-    if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
+    if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
        return AVERROR(EINVAL);
    ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);