smc: fix the bounds check

Fixes invalid writes when there are more blocks in a run than total
remaining blocks.

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8548
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
pull/101/head
Michael Niedermayer 10 years ago committed by Anton Khirnov
parent 0b39ac6f54
commit d423dd72be
  1. 2
      libavcodec/smc.c

@ -70,7 +70,7 @@ typedef struct SmcContext {
row_ptr += stride * 4; \ row_ptr += stride * 4; \
} \ } \
total_blocks--; \ total_blocks--; \
if (total_blocks < 0) \ if (total_blocks < !!n_blocks) \
{ \ { \
av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \
return; \ return; \

Loading…
Cancel
Save