mpc8: fix broken pointer math

wm4 Tue, 03 Feb 2015 10:05:57 -0800

This could overflow and crash at least on 32 bit systems.
---
 libavformat/mpc8.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index a15dc25..d6ca338 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p)
         size = bs_get_v(&bs);
         if (size < 2)
             return 0;
-        if (bs + size - 2 >= bs_end)
+        if (size >= bs_end - bs + 2)
             return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but 
no header yet
         if (header_found) {
             if (size < 11 || size > 28)
-- 
2.1.4

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH 1/2] avformat/mpc8: fix broken pointer math

Reply via email to