aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorLaurent Aimar <fenrir@videolan.org>2011-09-24 23:52:24 +0200
committerMichael Niedermayer <michaelni@gmx.at>2011-09-25 00:27:29 +0200
commit78cb39d2b2ad731dd3b984b0c0711b9f1d6de004 (patch)
treee07dcdbb7b938a5695853486026c45fa08776c65 /libavcodec
parent5127f465bd3e2cf9cbf66dea3cf7b481b522d266 (diff)
downloadffmpeg-78cb39d2b2ad731dd3b984b0c0711b9f1d6de004.tar.gz
Fix potential pointer arithmetic overflows in lz_unpack of vmd video decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/vmdav.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 74bce45c80..14a41f40e8 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -110,7 +110,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
while (s_end - s > 0 && dataleft > 0) {
tag = *s++;
if ((tag == 0xFF) && (dataleft > 8)) {
- if (d + 8 > d_end || s_end - s < 8)
+ if (d_end - d < 8 || s_end - s < 8)
return;
for (i = 0; i < 8; i++) {
queue[qpos++] = *d++ = *s++;
@@ -122,7 +122,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
if (dataleft == 0)
break;
if (tag & 0x01) {
- if (d + 1 > d_end || s_end - s < 1)
+ if (d_end - d < 1 || s_end - s < 1)
return;
queue[qpos++] = *d++ = *s++;
qpos &= QUEUE_MASK;
@@ -138,7 +138,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
return;
chainlen = *s++ + 0xF + 3;
}
- if (d + chainlen > d_end)
+ if (d_end - d < chainlen)
return;
for (j = 0; j < chainlen; j++) {
*d = queue[chainofs++ & QUEUE_MASK];