diff options
| author | Laurent Aimar <fenrir@videolan.org> | 2011-10-08 23:40:36 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-06 19:49:12 +0100 |
| commit | c603cf51704714a3b9e1d3efa78bd4627d4b9e74 (patch) | |
| tree | 48b92fd2cc4087f8885300ce6b70cf9abe4f4344 | |
| parent | e1a46eff7a1017e1d3afc5204b82e08a1ea0bf3d (diff) | |
| download | ffmpeg-c603cf51704714a3b9e1d3efa78bd4627d4b9e74.tar.gz | |
qtrle: check for out of bound writes.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a65045915f5b4ec6da73df54d1914b320a861223)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/qtrle.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index b66acd4220..d68b44f405 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -127,6 +127,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int stream_ptr, while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -183,6 +184,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -236,6 +238,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -285,6 +288,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { @@ -336,6 +340,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, int while (lines_to_change--) { CHECK_STREAM_PTR(2); pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { if (rle_code == 0) { |