virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00
Code Issues Releases Activity

Fix potential pointer arithmetic overflows in lz_unpack of vmd video decoder.

Browse Source 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Laurent Aimar 2011-09-24 23:52:24 +02:00 committed by Michael Niedermayer
parent 5127f465bd
commit 78cb39d2b2
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/vmdav.c
View File

@ -110,7 +110,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
while (s_end - s > 0 && dataleft > 0) { while (s_end - s > 0 && dataleft > 0) {
tag = *s++; tag = *s++;
if ((tag == 0xFF) && (dataleft > 8)) { if ((tag == 0xFF) && (dataleft > 8)) {
if (d + 8 > d_end || s_end - s < 8) if (d_end - d < 8 || s_end - s < 8)
return; return;
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
queue[qpos++] = *d++ = *s++; queue[qpos++] = *d++ = *s++;
@ -122,7 +122,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
if (dataleft == 0) if (dataleft == 0)
break; break;
if (tag & 0x01) { if (tag & 0x01) {
if (d + 1 > d_end || s_end - s < 1) if (d_end - d < 1 || s_end - s < 1)
return; return;
queue[qpos++] = *d++ = *s++; queue[qpos++] = *d++ = *s++;
qpos &= QUEUE_MASK; qpos &= QUEUE_MASK;
@ -138,7 +138,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
return; return;
chainlen = *s++ + 0xF + 3; chainlen = *s++ + 0xF + 3;
} }
if (d + chainlen > d_end) if (d_end - d < chainlen)
return; return;
for (j = 0; j < chainlen; j++) { for (j = 0; j < chainlen; j++) {
*d = queue[chainofs++ & QUEUE_MASK]; *d = queue[chainofs++ & QUEUE_MASK];