From 3938349cd582abc6a5b39f2807bab5f428a0815b Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Fri, 21 Nov 2014 05:10:28 +0100
Subject: demux_mkv: fix scary sign extension issues

Expressions involving uint16_t are promoted to int, which then can
overflow if the uint16_t values are large enough.

Found by Coverity.
---
 demux/demux_mkv.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'demux')

diff --git a/demux/demux_mkv.c b/demux/demux_mkv.c
index fc1d77594c..31410770c6 100644
--- a/demux/demux_mkv.c
+++ b/demux/demux_mkv.c
@@ -131,13 +131,13 @@ typedef struct mkv_track {
     double ra_pts;              /* previous audio timestamp */
 
   /** realaudio descrambling */
-    uint16_t sub_packet_size;   ///< sub packet size, per stream
-    uint16_t sub_packet_h;      ///< number of coded frames per block
+    uint32_t sub_packet_size;   ///< sub packet size, per stream
+    uint32_t sub_packet_h;      ///< number of coded frames per block
     uint32_t coded_framesize;   ///< coded frame size, per stream
-    uint16_t audiopk_size;      ///< audio packet size
+    uint32_t audiopk_size;      ///< audio packet size
     unsigned char *audio_buf;   ///< place to store reordered audio data
     double *audio_timestamp;    ///< timestamp for each audio packet
-    uint16_t sub_packet_cnt;    ///< number of subpacket already received
+    uint32_t sub_packet_cnt;    ///< number of subpacket already received
     int audio_filepos;          ///< file position of first audio packet in block
 
     /* generic content encoding support */
@@ -2013,11 +2013,11 @@ static void handle_realaudio(demuxer_t *demuxer, mkv_track_t *track,
                              bstr data, bool keyframe)
 {
     mkv_demuxer_t *mkv_d = (mkv_demuxer_t *) demuxer->priv;
-    uint16_t sps = track->sub_packet_size;
-    uint16_t sph = track->sub_packet_h;
+    uint32_t sps = track->sub_packet_size;
+    uint32_t sph = track->sub_packet_h;
     uint32_t cfs = track->coded_framesize; // restricted to [1,0x40000000]
-    uint16_t w = track->audiopk_size;
-    uint16_t spc = track->sub_packet_cnt;
+    uint32_t w = track->audiopk_size;
+    uint32_t spc = track->sub_packet_cnt;
     uint8_t *buffer = data.start;
     uint32_t size = data.len;
     demux_packet_t *dp;
-- 
cgit v1.2.3