[FFmpeg-cvslog] dsputil/pngdsp: fix signed/unsigned type in end comparison
Michael Niedermayer
git at videolan.org
Mon Mar 10 18:12:02 CET 2014
ffmpeg | branch: release/0.10 | Michael Niedermayer <michaelni at gmx.at> | Fri Aug 30 23:14:32 2013 +0200| [ef6c90e102a393c136a38c1eee42bfd26e964de5] | committer: Reinhard Tartler
dsputil/pngdsp: fix signed/unsigned type in end comparison
Fixes out of array accesses and integer overflows.
(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit af9799790d7a6342027e0261b5dd87657abb7a0b)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
Conflicts:
libavcodec/pngdsp.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ef6c90e102a393c136a38c1eee42bfd26e964de5
---
libavcodec/dsputil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
index 050081a..b32fea9 100644
--- a/libavcodec/dsputil.c
+++ b/libavcodec/dsputil.c
@@ -1867,7 +1867,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
long i;
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
long a = *(long*)(src+i);
long b = *(long*)(dst+i);
*(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1903,7 +1903,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
}
}else
#endif
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
long a = *(long*)(src1+i);
long b = *(long*)(src2+i);
*(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
More information about the ffmpeg-cvslog
mailing list