qpeg: Fix out of array writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-03 03:37:52 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-16 06:29:10 +0100
commit: 5dbc75870f486fb9c0237870eafa834a8a2066c8 (patch)
tree: 6a30e8db5c76c1465828fec2b6e21771558787df
parent: c91a14638e4e3ea8652ecbedb3228b5a5d4c019f (diff)
download: ffmpeg-5dbc75870f486fb9c0237870eafa834a8a2066c8.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index bbb9f71aae..adbeff03ae 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -203,6 +203,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                     filled = 0;
                     dst -= stride;
                     height--;
+                    if(height < 0)
+                        break;
                 }
             }
         } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
@@ -214,6 +216,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                     filled = 0;
                     dst -= stride;
                     height--;
+                    if(height < 0)
+                        break;
                 }
             }
             size -= code + 1;
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-03 03:37:52 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-16 06:29:10 +0100
commit	5dbc75870f486fb9c0237870eafa834a8a2066c8 (patch)
tree	6a30e8db5c76c1465828fec2b6e21771558787df
parent	c91a14638e4e3ea8652ecbedb3228b5a5d4c019f (diff)
download	ffmpeg-5dbc75870f486fb9c0237870eafa834a8a2066c8.tar.gz