On Fri, Dec 18, 2015 at 05:22:31PM +0100, Andreas Cadhalpun wrote: > If it is negative, it makes size larger than the size of the packet > buffer, causing invalid writes in avio_read. > > Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > --- > libavformat/nutdec.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c > index 286d1ee..47ae7a7 100644 > --- a/libavformat/nutdec.c > +++ b/libavformat/nutdec.c > @@ -1146,6 +1146,11 @@ static int decode_frame(NUTContext *nut, AVPacket > *pkt, int frame_code) > goto fail; > } > sm_size = avio_tell(bc) - pkt->pos; > + if (sm_size < 0) {
did sm_size overflow and should be 64bit ? did the byte position (avio_tell) move backward ? (this should not happen) [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Asymptotically faster algorithms should always be preferred if you have asymptotical amounts of data
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel