On Sat, Apr 18, 2015 at 06:58:30PM +0200, Andreas Cadhalpun wrote: > If begin is smaller than t, the subtraction 'begin -= t' wraps around, > because begin is unsigned. The same applies for end < t. > > This causes segmentation faults. > > Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > --- > libavcodec/alsdec.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c > index f85f1e8..ff6b6cf 100644 > --- a/libavcodec/alsdec.c > +++ b/libavcodec/alsdec.c > @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext > *ctx, ALSBlockData *bd, > > if (ch[dep].time_diff_sign) { > t = -t; > + if (begin < t) { > + av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than > time diff index %d.\n", begin, t); > + return AVERROR_INVALIDDATA; > + }
begin is 1, t < 0 also the comparission is unsigned so t will overflow in it [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB What does censorship reveal? It reveals fear. -- Julian Assange
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel