Fix for overflow issue in mpegvideo.c patch by (Martin Boehme: boehme, inb uni-luebec...

this integer overflow might lead to the execution of arbitrary code during encoding with threads

Originally committed as revision 4474 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index a601713..87a56ff 100644 (file)
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -2316,8 +2316,8 @@ int MPV_encode_picture(AVCodecContext *avctx,
         int start_y= s->thread_context[i]->start_mb_y;
         int   end_y= s->thread_context[i]->  end_mb_y;
         int h= s->mb_height;
-        uint8_t *start= buf + buf_size*start_y/h;
-        uint8_t *end  = buf + buf_size*  end_y/h;
+        uint8_t *start= buf + (size_t)(((int64_t) buf_size)*start_y/h);
+        uint8_t *end  = buf + (size_t)(((int64_t) buf_size)*  end_y/h);
 
         init_put_bits(&s->thread_context[i]->pb, start, end - start);
     }