virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-04-14 00:58:38 +02:00
Code Issues Releases Activity

avcodec/fic: fix slice checks

Browse Source 
fix integer overflows

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2014-02-15 17:19:32 +01:00
parent ed1a687856
commit d46ef40129
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/fic.c
View File

@ -214,8 +214,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
} }
for (slice = 0; slice < nslices; slice++) { for (slice = 0; slice < nslices; slice++) {
int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4); unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
int slice_size; unsigned slice_size;
int y_off = ctx->slice_h * slice; int y_off = ctx->slice_h * slice;
int slice_h = ctx->slice_h; int slice_h = ctx->slice_h;
@ -230,11 +230,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
} }
slice_size -= slice_off; if (slice_size < slice_off || slice_size > msize)
if (slice_off > msize || slice_off + slice_size > msize)
continue; continue;
slice_size -= slice_off;
ctx->slice_data[slice].src = sdata + slice_off; ctx->slice_data[slice].src = sdata + slice_off;
ctx->slice_data[slice].src_size = slice_size; ctx->slice_data[slice].src_size = slice_size;
ctx->slice_data[slice].slice_h = slice_h; ctx->slice_data[slice].slice_h = slice_h;