ffmpeg | branch: release/2.7 | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Fri Nov 6 21:04:34 2015 +0100| [cd8bedb9fa7c3d04288bf57b64081b4a89aefb4d] | committer: Michael Niedermayer
jvdec: avoid unsigned overflow in comparison The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size is 3, the right side overflows leading to a wrong result of the comparison and subsequently a heap buffer overflow. Reviewed-by: Paul B Mahol <one...@gmail.com> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> (cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd8bedb9fa7c3d04288bf57b64081b4a89aefb4d --- libavformat/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 64d31e0..103507d 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct JVDemuxContext { static int read_probe(AVProbeData *pd) { - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
