diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-03 03:37:52 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-05-03 00:28:35 +0200 |
| commit | db041fd115eeb3c7209bbb2b6e676bc061f6b09b (patch) | |
| tree | 5fca46bd40697e32ae961db8e3190d748a19a2ab | |
| parent | 7a877418e30b09a724684e5bc8742d864d35e31d (diff) | |
| download | ffmpeg-db041fd115eeb3c7209bbb2b6e676bc061f6b09b.tar.gz | |
qpeg: Fix out of array writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/qpeg.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index bbb9f71aae..adbeff03ae 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -203,6 +203,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, filled = 0; dst -= stride; height--; + if(height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -214,6 +216,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, filled = 0; dst -= stride; height--; + if(height < 0) + break; } } size -= code + 1; |