From 000eb01a7d14ee635bd0e554ea92e05feb8cf685 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Wed, 13 Jul 2016 23:53:05 +0100 Subject: [PATCH] diracdec: fix unchecked byte length Also drops the start variable since it's redundant. Found by Coverity, fixes CID1363964 Signed-off-by: Rostislav Pehlivanov --- libavcodec/diracdec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index dc42a42d86..6cb098b08c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -835,11 +835,10 @@ static int decode_hq_slice(DiracContext *s, DiracSlice *slice, uint8_t *tmp_buf) for (i = 0; i < 3; i++) { int coef_num, coef_par, off = 0; int64_t length = s->highquality.size_scaler*get_bits(gb, 8); - int64_t start = get_bits_count(gb); - int64_t bits_end = start + 8*length; + int64_t bits_end = get_bits_count(gb) + 8*length; const uint8_t *addr = align_get_bits(gb); - if (bits_end >= INT_MAX) { + if (length*8 > get_bits_left(gb)) { av_log(s->avctx, AV_LOG_ERROR, "end too far away\n"); return AVERROR_INVALIDDATA; }