dsputil/pngdsp: fix signed/unsigned type in end comparison

Fixes out of array accesses and integer overflows.

(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

2 files changed, 3 insertions, 3 deletions

diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
index 4696bc7980..338c314f85 100644
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1800,7 +1800,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
 
 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
     long i;
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src+i);
         long b = *(long*)(dst+i);
         *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1825,7 +1825,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
         }
     }else
 #endif
-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src1+i);
         long b = *(long*)(src2+i);
         *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
diff --git a/libavcodec/pngdsp.c b/libavcodec/pngdsp.c
index 00734d7d10..9220c2080a 100644
--- a/libavcodec/pngdsp.c
+++ b/libavcodec/pngdsp.c
@@ -30,7 +30,7 @@
 static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w)
 {
     long i;
-    for (i = 0; i <= w - sizeof(long); i += sizeof(long)) {
+    for (i = 0; i <= w - (int)sizeof(long); i += sizeof(long)) {
         long a = *(long *)(src1 + i);
         long b = *(long *)(src2 + i);
         *(long *)(dst + i) = ((a & pb_7f) + (b & pb_7f)) ^ ((a ^ b) & pb_80);