diff options
author | Mike Melanson <mike@multimedia.cx> | 2005-08-13 17:46:09 +0000 |
---|---|---|
committer | Mike Melanson <mike@multimedia.cx> | 2005-08-13 17:46:09 +0000 |
commit | a06c7e07d71547f2dd46890c0dbf230d8542e8cc (patch) | |
tree | d6f087cff15c56d3f8fda629d08b9f9b629751bc | |
parent | 6b892a42272eaee418b2a93069ce13c8b0eb62f4 (diff) | |
download | ffmpeg-a06c7e07d71547f2dd46890c0dbf230d8542e8cc.tar.gz |
tinfoil patch: make sure pixel_ptr never goes negative
Originally committed as revision 4513 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/qtrle.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 41e4120dbf..0d79c5c9ed 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -58,8 +58,8 @@ typedef struct QtrleContext { } #define CHECK_PIXEL_PTR(n) \ - if (pixel_ptr + n > pixel_limit) { \ - av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr >= pixel_limit (%d >= %d)\n", \ + if ((pixel_ptr + n > pixel_limit) || (pixel_ptr + n < 0)) { \ + av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr = %d, pixel_limit = %d\n", \ pixel_ptr + n, pixel_limit); \ return; \ } \ @@ -119,6 +119,7 @@ static void qtrle_decode_4bpp(QtrleContext *s) /* there's another skip code in the stream */ CHECK_STREAM_PTR(1); pixel_ptr += (8 * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ } else if (rle_code < 0) { /* decode the run length code */ rle_code = -rle_code; @@ -209,6 +210,7 @@ static void qtrle_decode_8bpp(QtrleContext *s) /* there's another skip code in the stream */ CHECK_STREAM_PTR(1); pixel_ptr += (4 * (s->buf[stream_ptr++] - 1)); + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ } else if (rle_code < 0) { /* decode the run length code */ rle_code = -rle_code; @@ -290,6 +292,7 @@ static void qtrle_decode_16bpp(QtrleContext *s) /* there's another skip code in the stream */ CHECK_STREAM_PTR(1); pixel_ptr += (s->buf[stream_ptr++] - 1) * 2; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ } else if (rle_code < 0) { /* decode the run length code */ rle_code = -rle_code; @@ -367,6 +370,7 @@ static void qtrle_decode_24bpp(QtrleContext *s) /* there's another skip code in the stream */ CHECK_STREAM_PTR(1); pixel_ptr += (s->buf[stream_ptr++] - 1) * 3; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ } else if (rle_code < 0) { /* decode the run length code */ rle_code = -rle_code; @@ -446,6 +450,7 @@ static void qtrle_decode_32bpp(QtrleContext *s) /* there's another skip code in the stream */ CHECK_STREAM_PTR(1); pixel_ptr += (s->buf[stream_ptr++] - 1) * 4; + CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ } else if (rle_code < 0) { /* decode the run length code */ rle_code = -rle_code; |