Commit a06c7e07 authored by Mike Melanson's avatar Mike Melanson

tinfoil patch: make sure pixel_ptr never goes negative

Originally committed as revision 4513 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 6b892a42
...@@ -58,8 +58,8 @@ typedef struct QtrleContext { ...@@ -58,8 +58,8 @@ typedef struct QtrleContext {
} }
#define CHECK_PIXEL_PTR(n) \ #define CHECK_PIXEL_PTR(n) \
if (pixel_ptr + n > pixel_limit) { \ if ((pixel_ptr + n > pixel_limit) || (pixel_ptr + n < 0)) { \
av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr >= pixel_limit (%d >= %d)\n", \ av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr = %d, pixel_limit = %d\n", \
pixel_ptr + n, pixel_limit); \ pixel_ptr + n, pixel_limit); \
return; \ return; \
} \ } \
...@@ -119,6 +119,7 @@ static void qtrle_decode_4bpp(QtrleContext *s) ...@@ -119,6 +119,7 @@ static void qtrle_decode_4bpp(QtrleContext *s)
/* there's another skip code in the stream */ /* there's another skip code in the stream */
CHECK_STREAM_PTR(1); CHECK_STREAM_PTR(1);
pixel_ptr += (8 * (s->buf[stream_ptr++] - 1)); pixel_ptr += (8 * (s->buf[stream_ptr++] - 1));
CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) { } else if (rle_code < 0) {
/* decode the run length code */ /* decode the run length code */
rle_code = -rle_code; rle_code = -rle_code;
...@@ -209,6 +210,7 @@ static void qtrle_decode_8bpp(QtrleContext *s) ...@@ -209,6 +210,7 @@ static void qtrle_decode_8bpp(QtrleContext *s)
/* there's another skip code in the stream */ /* there's another skip code in the stream */
CHECK_STREAM_PTR(1); CHECK_STREAM_PTR(1);
pixel_ptr += (4 * (s->buf[stream_ptr++] - 1)); pixel_ptr += (4 * (s->buf[stream_ptr++] - 1));
CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) { } else if (rle_code < 0) {
/* decode the run length code */ /* decode the run length code */
rle_code = -rle_code; rle_code = -rle_code;
...@@ -290,6 +292,7 @@ static void qtrle_decode_16bpp(QtrleContext *s) ...@@ -290,6 +292,7 @@ static void qtrle_decode_16bpp(QtrleContext *s)
/* there's another skip code in the stream */ /* there's another skip code in the stream */
CHECK_STREAM_PTR(1); CHECK_STREAM_PTR(1);
pixel_ptr += (s->buf[stream_ptr++] - 1) * 2; pixel_ptr += (s->buf[stream_ptr++] - 1) * 2;
CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) { } else if (rle_code < 0) {
/* decode the run length code */ /* decode the run length code */
rle_code = -rle_code; rle_code = -rle_code;
...@@ -367,6 +370,7 @@ static void qtrle_decode_24bpp(QtrleContext *s) ...@@ -367,6 +370,7 @@ static void qtrle_decode_24bpp(QtrleContext *s)
/* there's another skip code in the stream */ /* there's another skip code in the stream */
CHECK_STREAM_PTR(1); CHECK_STREAM_PTR(1);
pixel_ptr += (s->buf[stream_ptr++] - 1) * 3; pixel_ptr += (s->buf[stream_ptr++] - 1) * 3;
CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) { } else if (rle_code < 0) {
/* decode the run length code */ /* decode the run length code */
rle_code = -rle_code; rle_code = -rle_code;
...@@ -446,6 +450,7 @@ static void qtrle_decode_32bpp(QtrleContext *s) ...@@ -446,6 +450,7 @@ static void qtrle_decode_32bpp(QtrleContext *s)
/* there's another skip code in the stream */ /* there's another skip code in the stream */
CHECK_STREAM_PTR(1); CHECK_STREAM_PTR(1);
pixel_ptr += (s->buf[stream_ptr++] - 1) * 4; pixel_ptr += (s->buf[stream_ptr++] - 1) * 4;
CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */
} else if (rle_code < 0) { } else if (rle_code < 0) {
/* decode the run length code */ /* decode the run length code */
rle_code = -rle_code; rle_code = -rle_code;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment