dfa: protect pointer range checks against overflows.

oldabi
Ronald S. Bultje 14 years ago
parent a75529e81e
commit d38345878c
  1. 6
      libavcodec/dfa.c

@ -81,7 +81,7 @@ static int decode_tsw1(uint8_t *frame, int width, int height,
v = bytestream_get_le16(&src); v = bytestream_get_le16(&src);
offset = (v & 0x1FFF) << 1; offset = (v & 0x1FFF) << 1;
count = ((v >> 13) + 2) << 1; count = ((v >> 13) + 2) << 1;
if (frame - offset < frame_start || frame_end - frame < count) if (frame - frame_start < offset || frame_end - frame < count)
return -1; return -1;
av_memcpy_backptr(frame, offset, count); av_memcpy_backptr(frame, offset, count);
frame += count; frame += count;
@ -117,7 +117,7 @@ static int decode_dsw1(uint8_t *frame, int width, int height,
v = bytestream_get_le16(&src); v = bytestream_get_le16(&src);
offset = (v & 0x1FFF) << 1; offset = (v & 0x1FFF) << 1;
count = ((v >> 13) + 2) << 1; count = ((v >> 13) + 2) << 1;
if (frame - offset < frame_start || frame_end - frame < count) if (frame - frame_start < offset || frame_end - frame < count)
return -1; return -1;
// can't use av_memcpy_backptr() since it can overwrite following pixels // can't use av_memcpy_backptr() since it can overwrite following pixels
for (v = 0; v < count; v++) for (v = 0; v < count; v++)
@ -157,7 +157,7 @@ static int decode_dds1(uint8_t *frame, int width, int height,
v = bytestream_get_le16(&src); v = bytestream_get_le16(&src);
offset = (v & 0x1FFF) << 2; offset = (v & 0x1FFF) << 2;
count = ((v >> 13) + 2) << 1; count = ((v >> 13) + 2) << 1;
if (frame - offset < frame_start || frame_end - frame < count*2 + width) if (frame - frame_start < offset || frame_end - frame < count*2 + width)
return -1; return -1;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
frame[0] = frame[1] = frame[0] = frame[1] =

Loading…
Cancel
Save