From 21ebfcdd43860c3cd071ced8b558bc1b41c47f1f Mon Sep 17 00:00:00 2001
From: wm4 <nfxjfg@googlemail.com>
Date: Tue, 3 Feb 2015 19:04:11 +0100
Subject: [PATCH] avformat/mpc8: fix broken pointer math
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This could overflow and crash at least on 32 bit systems.

Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa)

Conflicts:

	libavformat/mpc8.c
(cherry picked from commit 49dd89f9027f3def12e170bb7d986d37812eedba)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/mpc8.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 23fb637cd1..aa885f2dd5 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p)
         size = bs_get_v(&bs);
         if (size < 2)
             return 0;
-        if (bs + size - 2 >= bs_end)
+        if (size >= bs_end - bs + 2)
             return AVPROBE_SCORE_MAX / 4 - 1; //seems to be valid MPC but no header yet
         if (header_found) {
             if (size < 11 || size > 28)