On 05/01/16 13:05, Andreas Cadhalpun wrote: > The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE > to -1. > > This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32 > cannot be represented in type 'int' > > Signed-off-by: Andreas Cadhalpun <[email protected]> > --- > libavcodec/avpacket.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c > index 97c12b5..4901d36 100644 > --- a/libavcodec/avpacket.c > +++ b/libavcodec/avpacket.c > @@ -71,7 +71,7 @@ void av_packet_free(AVPacket **pkt) > static int packet_alloc(AVBufferRef **buf, int size) > { > int ret; > - if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE) > + if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) > return AVERROR(EINVAL); > > ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE); >
Looks good. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
