diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2007-03-25 23:37:38 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2007-03-25 23:37:38 +0000 |
| commit | 0cb7f8a26094c533b7dbe25897198953b6660f15 (patch) | |
| tree | 65d689e12749734d24622d10715c5704bbddb119 | |
| parent | 34a370cb0cee7cdeef4f56ad2617ab7bf5f708ab (diff) | |
| download | ffmpeg-0cb7f8a26094c533b7dbe25897198953b6660f15.tar.gz | |
check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable
Originally committed as revision 8522 to svn://svn.ffmpeg.org/ffmpeg/trunk
| -rw-r--r-- | libavcodec/lzw.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c index 17194ff2fb..24b8194ac1 100644 --- a/libavcodec/lzw.c +++ b/libavcodec/lzw.c @@ -196,7 +196,6 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ } c = lzw_get_code(s); if (c == s->end_code) { - s->end_code = -1; break; } else if (c == s->clear_code) { s->cursize = s->codesize + 1; @@ -206,10 +205,11 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ fc= oc= -1; } else { code = c; - if (code >= s->slot) { + if (code == s->slot && fc>=0) { *sp++ = fc; code = oc; - } + }else if(code >= s->slot) + break; while (code >= s->newcodes) { *sp++ = s->suffix[code]; code = s->prefix[code]; @@ -229,6 +229,7 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ } } } + s->end_code = -1; the_end: s->sp = sp; s->oc = oc; |