From 40187f9247d5f20f8f6c869bd1f995127dc11b55 Mon Sep 17 00:00:00 2001 From: Edward Hervey Date: Sat, 4 Nov 2017 11:45:54 +0100 Subject: [PATCH] typefindhelper: Fix overflow some more Nothing guaranteed that off+size wouldn't exceed a 2**64 value. Instead we reverse the operation and use a subtraction. --- libs/gst/base/gsttypefindhelper.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libs/gst/base/gsttypefindhelper.c b/libs/gst/base/gsttypefindhelper.c index 67efeac4a3..8a7bc28c58 100644 --- a/libs/gst/base/gsttypefindhelper.c +++ b/libs/gst/base/gsttypefindhelper.c @@ -446,7 +446,15 @@ buf_helper_find_peek (gpointer data, gint64 off, guint size) return NULL; } - if (((guint64) off + size) <= helper->size) + /* If we request beyond the available size, we're sure we can't return + * anything regardless of the requested offset */ + if (size > helper->size) + return NULL; + + /* Only return data if there's enough room left for the given offset. + * This is the same as "if (off + size <= helper->size)" except that + * it doesn't exceed type limits */ + if (off <= helper->size - size) return helper->data + off; return NULL;