avpacket: fix size check in packet_alloc

The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE to -1. This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Signed-off-by: N Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: N Anton Khirnov <anton@khirnov.net>

avpacket: fix size check in packet_alloc
The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE to -1. This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Signed-off-by: N Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: N Anton Khirnov <anton@khirnov.net>
fa463aa8 · Andreas Cadhalpun · Anton Khirnov · 06628137 · fa463aa8
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

libavcodec/avpacket.c libavcodec/avpacket.c +1 -1

未找到文件。
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -69,7 +69,7 @@ void av_packet_free(AVPacket **pkt)
 static int packet_alloc(AVBufferRef **buf, int size)
 {
    int ret;
-    if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
+    if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
        return AVERROR(EINVAL);

    ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);