[FFmpeg-cvslog] Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder.

Laurent Aimar git at videolan.org
Sat Oct 1 21:38:49 CEST 2011


ffmpeg | branch: release/0.8 | Laurent Aimar <fenrir at videolan.org> | Sun Sep 25 00:08:51 2011 +0200| [1b26a734b23829f0756500f9cec2ac47baa65cd7] | committer: Michael Niedermayer

Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 35cb6854bb76b4a5b6f2aea2dce81e18d7ab61cd)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b26a734b23829f0756500f9cec2ac47baa65cd7
---

 libavcodec/vmdav.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 90cbab8..1f9694e 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
         l = *ps++;
         if (l & 0x80) {
             l = (l & 0x7F) * 2;
-            if (pd + l > dest_end || ps_end - ps < l)
+            if (dest_end - pd < l || ps_end - ps < l)
                 return ps - src;
             memcpy(pd, ps, l);
             ps += l;
             pd += l;
         } else {
-            if (pd + i > dest_end || ps_end - ps < 2)
+            if (dest_end - pd < i || ps_end - ps < 2)
                 return ps - src;
             for (i = 0; i < l; i++) {
                 *pd++ = ps[0];



More information about the ffmpeg-cvslog mailing list