Commit 0cb7f8a2 authored by Michael Niedermayer's avatar Michael Niedermayer

check input validity, this prevents a few variables from reachin odd values...

check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable

Originally committed as revision 8522 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 34a370cb
...@@ -196,7 +196,6 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ ...@@ -196,7 +196,6 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
} }
c = lzw_get_code(s); c = lzw_get_code(s);
if (c == s->end_code) { if (c == s->end_code) {
s->end_code = -1;
break; break;
} else if (c == s->clear_code) { } else if (c == s->clear_code) {
s->cursize = s->codesize + 1; s->cursize = s->codesize + 1;
...@@ -206,10 +205,11 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ ...@@ -206,10 +205,11 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
fc= oc= -1; fc= oc= -1;
} else { } else {
code = c; code = c;
if (code >= s->slot) { if (code == s->slot && fc>=0) {
*sp++ = fc; *sp++ = fc;
code = oc; code = oc;
} }else if(code >= s->slot)
break;
while (code >= s->newcodes) { while (code >= s->newcodes) {
*sp++ = s->suffix[code]; *sp++ = s->suffix[code];
code = s->prefix[code]; code = s->prefix[code];
...@@ -229,6 +229,7 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){ ...@@ -229,6 +229,7 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
} }
} }
} }
s->end_code = -1;
the_end: the_end:
s->sp = sp; s->sp = sp;
s->oc = oc; s->oc = oc;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment