diff options
| author | wm4 <wm4@nowhere> | 2014-11-21 05:10:28 +0100 |
|---|---|---|
| committer | wm4 <wm4@nowhere> | 2014-11-21 05:18:01 +0100 |
| commit | 3938349cd582abc6a5b39f2807bab5f428a0815b (patch) | |
| tree | 8a3dd200aeb89be525731eb1f3f08cb26f2689cb | |
| parent | 550c16fe9dc3e6e6bf199ff756c581855513f1c5 (diff) | |
| download | mpv-3938349cd582abc6a5b39f2807bab5f428a0815b.tar.bz2 mpv-3938349cd582abc6a5b39f2807bab5f428a0815b.tar.xz | |
demux_mkv: fix scary sign extension issues
Expressions involving uint16_t are promoted to int, which then can
overflow if the uint16_t values are large enough.
Found by Coverity.
| -rw-r--r-- | demux/demux_mkv.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c index fc1d77594c..31410770c6 100644 --- a/demux/demux_mkv.c +++ b/demux/demux_mkv.c @@ -131,13 +131,13 @@ typedef struct mkv_track { double ra_pts; /* previous audio timestamp */ /** realaudio descrambling */ - uint16_t sub_packet_size; ///< sub packet size, per stream - uint16_t sub_packet_h; ///< number of coded frames per block + uint32_t sub_packet_size; ///< sub packet size, per stream + uint32_t sub_packet_h; ///< number of coded frames per block uint32_t coded_framesize; ///< coded frame size, per stream - uint16_t audiopk_size; ///< audio packet size + uint32_t audiopk_size; ///< audio packet size unsigned char *audio_buf; ///< place to store reordered audio data double *audio_timestamp; ///< timestamp for each audio packet - uint16_t sub_packet_cnt; ///< number of subpacket already received + uint32_t sub_packet_cnt; ///< number of subpacket already received int audio_filepos; ///< file position of first audio packet in block /* generic content encoding support */ @@ -2013,11 +2013,11 @@ static void handle_realaudio(demuxer_t *demuxer, mkv_track_t *track, bstr data, bool keyframe) { mkv_demuxer_t *mkv_d = (mkv_demuxer_t *) demuxer->priv; - uint16_t sps = track->sub_packet_size; - uint16_t sph = track->sub_packet_h; + uint32_t sps = track->sub_packet_size; + uint32_t sph = track->sub_packet_h; uint32_t cfs = track->coded_framesize; // restricted to [1,0x40000000] - uint16_t w = track->audiopk_size; - uint16_t spc = track->sub_packet_cnt; + uint32_t w = track->audiopk_size; + uint32_t spc = track->sub_packet_cnt; uint8_t *buffer = data.start; uint32_t size = data.len; demux_packet_t *dp; |