vqavideo: check for out of bound reads.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

vqavideo: check for out of bound reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6d45702f · Laurent Aimar · Michael Niedermayer · e3123856 · 6d45702f
Commit 6d45702f authored Oct 08, 2011 by Laurent Aimar Committed by Michael Niedermayer Oct 09, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

vqavideo.c libavcodec/vqavideo.c +6 -0

No files found.
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -230,6 +230,8 @@ static void decode_format80(const unsigned char *src, int src_size,
            src_index += 2;
            av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
            CHECK_COUNT();
+            if (src_pos + count > dest_size)
+                return;
            for (i = 0; i < count; i++)
                dest[dest_index + i] = dest[src_pos + i];
            dest_index += count;
@@ -252,6 +254,8 @@ static void decode_format80(const unsigned char *src, int src_size,
            src_index += 2;
            av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
            CHECK_COUNT();
+            if (src_pos + count > dest_size)
+                return;
            for (i = 0; i < count; i++)
                dest[dest_index + i] = dest[src_pos + i];
            dest_index += count;
@@ -272,6 +276,8 @@ static void decode_format80(const unsigned char *src, int src_size,
            src_index += 2;
            av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
            CHECK_COUNT();
+            if (dest_index < src_pos)
+                return;
            for (i = 0; i < count; i++)
                dest[dest_index + i] = dest[dest_index - src_pos + i];
            dest_index += count;