diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-09-20 17:33:23 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-09-20 20:06:55 +0200 |
| commit | 5b33f523d736a11c9db88f998708c6f67691f445 (patch) | |
| tree | c0b538de62a5a3f3cc890b499fe218a665c25386 /MAINTAINERS | |
| parent | 913aa4204a2a2e0f3588f628441bf8d6edc12db7 (diff) | |
| download | ffmpeg-5b33f523d736a11c9db88f998708c6f67691f445.tar.gz | |
avformat/aaxdec: Fix potential integer overflow
The AAX demuxer reads a 32bit number containing the amount of entries
of an array and stores it in an uint32_t. Yet when iterating over this
array, a loop counter of type int is used. This leads to undefined
behaviour if the amount of entries is not in the range of int; to avoid
this, it is generally good to use the same type for the loop counter as
for the variable it is compared to. This is done in one of the two loops
affected by this.
In the other loop, the undefined behaviour can begin even earlier: Here
the loop counter is multiplied by an uint16_t which can overflow as soon
as the loop counter is > 2^15. Using an unsigned type would avoid the
undefined behaviour, but truncation would still be possible, so use an
uint64_t.
Also use an uint32_t for a variable containing an index in said array.
This fixes Coverity issue #1466767.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Diffstat (limited to 'MAINTAINERS')
0 files changed, 0 insertions, 0 deletions