diracdec: avoid overflow of bytes*8 in decode_lowdelay

If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-05-05 22:10:44 +02:00 · 2015-05-05 22:10:44 +02:00 · 68c11b6654
commit 68c11b6654
parent 10429a5284
1 changed files with 4 additions and 1 deletions
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@ -799,7 +799,10 @@ static void decode_lowdelay(DiracContext *s)
            slice_num++;

            buf     += bytes;
-            bufsize -= bytes*8;
+            if (bufsize/8 >= bytes)
+                bufsize -= bytes*8;
+            else
+                bufsize = 0;
        }

    avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num,