[FFmpeg-cvslog] avcodec/dirac_arith: fix integer overflow
    Michael Niedermayer 
    git at videolan.org
       
    Sat Nov  1 15:58:22 CET 2014
    
    
  
ffmpeg | branch: release/2.2 | Michael Niedermayer <michaelni at gmx.at> | Tue Oct 28 02:14:41 2014 +0100| [45361d8aa30093ba37abfea061327747710f9c9d] | committer: Michael Niedermayer
avcodec/dirac_arith: fix integer overflow
Fixes: asan_heap-oob_1078676_9_008.drc
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 39680caceebfc6abf09b17032048752c014e57a8)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45361d8aa30093ba37abfea061327747710f9c9d
---
 libavcodec/dirac_arith.h |    4 ++++
 1 file changed, 4 insertions(+)
diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h
index 089c71a..a1fa96b 100644
--- a/libavcodec/dirac_arith.h
+++ b/libavcodec/dirac_arith.h
@@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c
 {
     int ret = 1;
     while (!dirac_get_arith_bit(c, follow_ctx)) {
+        if (ret >= 0x40000000) {
+            av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n");
+            return -1;
+        }
         ret <<= 1;
         ret += dirac_get_arith_bit(c, data_ctx);
         follow_ctx = ff_dirac_next_ctx[follow_ctx];
    
    
More information about the ffmpeg-cvslog
mailing list