Browse code
avformat/mpc8: fix broken pointer math
This could overflow and crash at least on 32 bit systems.
Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
wm4 authored on 2015/02/04 03:04:11Showing 1 changed files
| ... | ... |
@@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) |
| 91 | 91 |
size = bs_get_v(&bs); |
| 92 | 92 |
if (size < 2) |
| 93 | 93 |
return 0; |
| 94 |
- if (bs + size - 2 >= bs_end) |
|
| 94 |
+ if (size >= bs_end - bs + 2) |
|
| 95 | 95 |
return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet |
| 96 | 96 |
if (header_found) {
|
| 97 | 97 |
if (size < 11 || size > 28) |