diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2014-02-15 17:19:32 +0100 |
---|---|---|
committer | Derek Buitenhuis <derek.buitenhuis@gmail.com> | 2014-04-21 14:56:17 -0400 |
commit | f34d3173fcfc7f3228095d509a64c4fa4b37b575 (patch) | |
tree | 9b034a7c820d91ed149cd6d17501cf4497bfcf8f | |
parent | 93e15a323871613fd26f1f1e317029a50b5b24ca (diff) | |
download | ffmpeg-f34d3173fcfc7f3228095d509a64c4fa4b37b575.tar.gz |
avcodec/fic: fix slice checks
fix integer overflows
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
-rw-r--r-- | libavcodec/fic.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 90fda91f4c..9453941b76 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -263,8 +263,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, } for (slice = 0; slice < nslices; slice++) { - int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4); - int slice_size; + unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4); + unsigned slice_size; int y_off = ctx->slice_h * slice; int slice_h = ctx->slice_h; @@ -279,11 +279,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); } - slice_size -= slice_off; - - if (slice_off > msize || slice_off + slice_size > msize) + if (slice_size < slice_off || slice_size > msize) continue; + slice_size -= slice_off; + ctx->slice_data[slice].src = sdata + slice_off; ctx->slice_data[slice].src_size = slice_size; ctx->slice_data[slice].slice_h = slice_h; |