this integer overflow might lead to the execution of arbitrary code during encoding with threads
Originally committed as revision 4474 to svn://svn.ffmpeg.org/ffmpeg/trunk
int start_y= s->thread_context[i]->start_mb_y;
int end_y= s->thread_context[i]-> end_mb_y;
int h= s->mb_height;
- uint8_t *start= buf + buf_size*start_y/h;
- uint8_t *end = buf + buf_size* end_y/h;
+ uint8_t *start= buf + (size_t)(((int64_t) buf_size)*start_y/h);
+ uint8_t *end = buf + (size_t)(((int64_t) buf_size)* end_y/h);
init_put_bits(&s->thread_context[i]->pb, start, end - start);
}