This could overflow and crash at least on 32 bit systems.
Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) |
91 | 91 |
size = bs_get_v(&bs); |
92 | 92 |
if (size < 2) |
93 | 93 |
return 0; |
94 |
- if (bs + size - 2 >= bs_end) |
|
94 |
+ if (size >= bs_end - bs + 2) |
|
95 | 95 |
return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet |
96 | 96 |
if (header_found) { |
97 | 97 |
if (size < 11 || size > 28) |