Browse Source
avcodec/fic: fix slice checks
fix integer overflows Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>tags/n2.3
Michael Niedermayer
Derek Buitenhuis
11 years ago
1 changed files with 5 additions and 5 deletions
Unified View
Diff Options
-
+5 -5libavcodec/fic.c
+ 5
- 5
libavcodec/fic.c
View File
| @@ -263,8 +263,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, | |||||
| } | } | ||||
| for (slice = 0; slice < nslices; slice++) { | for (slice = 0; slice < nslices; slice++) { | ||||
| int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4); | |||||
| int slice_size; | |||||
| unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4); | |||||
| unsigned slice_size; | |||||
| int y_off = ctx->slice_h * slice; | int y_off = ctx->slice_h * slice; | ||||
| int slice_h = ctx->slice_h; | int slice_h = ctx->slice_h; | ||||
| @@ -279,11 +279,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, | |||||
| slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); | slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); | ||||
| } | } | ||||
| slice_size -= slice_off; | |||||
| if (slice_off > msize || slice_off + slice_size > msize) | |||||
| if (slice_size < slice_off || slice_size > msize) | |||||
| continue; | continue; | ||||
| slice_size -= slice_off; | |||||
| ctx->slice_data[slice].src = sdata + slice_off; | ctx->slice_data[slice].src = sdata + slice_off; | ||||
| ctx->slice_data[slice].src_size = slice_size; | ctx->slice_data[slice].src_size = slice_size; | ||||
| ctx->slice_data[slice].slice_h = slice_h; | ctx->slice_data[slice].slice_h = slice_h; | ||||