From fa463aa83a4920b0eed47ad1f79775dfc53d21ec Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Date: Tue, 5 Jan 2016 13:05:50 +0100
Subject: avpacket: fix size check in packet_alloc

The previous check only caught sizes from -AV_INPUT_BUFFER_PADDING_SIZE
to -1.

This fixes ubsan runtime error: signed integer overflow: 2147483647 + 32
cannot be represented in type 'int'

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/avpacket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec/avpacket.c')

diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index 87454d5647..3f8e163467 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -69,7 +69,7 @@ void av_packet_free(AVPacket **pkt)
 static int packet_alloc(AVBufferRef **buf, int size)
 {
     int ret;
-    if ((unsigned)size >= (unsigned)size + AV_INPUT_BUFFER_PADDING_SIZE)
+    if (size < 0 || size >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
         return AVERROR(EINVAL);
 
     ret = av_buffer_realloc(buf, size + AV_INPUT_BUFFER_PADDING_SIZE);
-- 
cgit v1.2.3