aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-02-15 17:19:32 +0100
committerDerek Buitenhuis <derek.buitenhuis@gmail.com>2014-04-21 14:56:17 -0400
commitf34d3173fcfc7f3228095d509a64c4fa4b37b575 (patch)
tree9b034a7c820d91ed149cd6d17501cf4497bfcf8f
parent93e15a323871613fd26f1f1e317029a50b5b24ca (diff)
downloadffmpeg-f34d3173fcfc7f3228095d509a64c4fa4b37b575.tar.gz
avcodec/fic: fix slice checks
fix integer overflows Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
-rw-r--r--libavcodec/fic.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 90fda91f4c..9453941b76 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -263,8 +263,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
}
for (slice = 0; slice < nslices; slice++) {
- int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
- int slice_size;
+ unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
+ unsigned slice_size;
int y_off = ctx->slice_h * slice;
int slice_h = ctx->slice_h;
@@ -279,11 +279,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
}
- slice_size -= slice_off;
-
- if (slice_off > msize || slice_off + slice_size > msize)
+ if (slice_size < slice_off || slice_size > msize)
continue;
+ slice_size -= slice_off;
+
ctx->slice_data[slice].src = sdata + slice_off;
ctx->slice_data[slice].src_size = slice_size;
ctx->slice_data[slice].slice_h = slice_h;