Commit 35cb6854 authored by Laurent Aimar's avatar Laurent Aimar Committed by Michael Niedermayer

Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder.

Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 4749e074
...@@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count, ...@@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
l = *ps++; l = *ps++;
if (l & 0x80) { if (l & 0x80) {
l = (l & 0x7F) * 2; l = (l & 0x7F) * 2;
if (pd + l > dest_end || ps_end - ps < l) if (dest_end - pd < l || ps_end - ps < l)
return ps - src; return ps - src;
memcpy(pd, ps, l); memcpy(pd, ps, l);
ps += l; ps += l;
pd += l; pd += l;
} else { } else {
if (pd + i > dest_end || ps_end - ps < 2) if (dest_end - pd < i || ps_end - ps < 2)
return ps - src; return ps - src;
for (i = 0; i < l; i++) { for (i = 0; i < l; i++) {
*pd++ = ps[0]; *pd++ = ps[0];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment