aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMike Melanson <mike@multimedia.cx>2005-08-13 17:46:09 +0000
committerMike Melanson <mike@multimedia.cx>2005-08-13 17:46:09 +0000
commita06c7e07d71547f2dd46890c0dbf230d8542e8cc (patch)
treed6f087cff15c56d3f8fda629d08b9f9b629751bc
parent6b892a42272eaee418b2a93069ce13c8b0eb62f4 (diff)
downloadffmpeg-a06c7e07d71547f2dd46890c0dbf230d8542e8cc.tar.gz
tinfoil patch: make sure pixel_ptr never goes negative
Originally committed as revision 4513 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/qtrle.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index 41e4120dbf..0d79c5c9ed 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -58,8 +58,8 @@ typedef struct QtrleContext {
}
#define CHECK_PIXEL_PTR(n) \
- if (pixel_ptr + n > pixel_limit) { \
- av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr >= pixel_limit (%d >= %d)\n", \
+ if ((pixel_ptr + n > pixel_limit) || (pixel_ptr + n < 0)) { \
+ av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr = %d, pixel_limit = %d\n", \
pixel_ptr + n, pixel_limit); \
return; \
} \
@@ -119,6 +119,7 @@ static void qtrle_decode_4bpp(QtrleContext *s)
/* there's another skip code in the stream */
CHECK_STREAM_PTR(1);
pixel_ptr += (8 * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) {
/* decode the run length code */
rle_code = -rle_code;
@@ -209,6 +210,7 @@ static void qtrle_decode_8bpp(QtrleContext *s)
/* there's another skip code in the stream */
CHECK_STREAM_PTR(1);
pixel_ptr += (4 * (s->buf[stream_ptr++] - 1));
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) {
/* decode the run length code */
rle_code = -rle_code;
@@ -290,6 +292,7 @@ static void qtrle_decode_16bpp(QtrleContext *s)
/* there's another skip code in the stream */
CHECK_STREAM_PTR(1);
pixel_ptr += (s->buf[stream_ptr++] - 1) * 2;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) {
/* decode the run length code */
rle_code = -rle_code;
@@ -367,6 +370,7 @@ static void qtrle_decode_24bpp(QtrleContext *s)
/* there's another skip code in the stream */
CHECK_STREAM_PTR(1);
pixel_ptr += (s->buf[stream_ptr++] - 1) * 3;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) {
/* decode the run length code */
rle_code = -rle_code;
@@ -446,6 +450,7 @@ static void qtrle_decode_32bpp(QtrleContext *s)
/* there's another skip code in the stream */
CHECK_STREAM_PTR(1);
pixel_ptr += (s->buf[stream_ptr++] - 1) * 4;
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) {
/* decode the run length code */
rle_code = -rle_code;