avcodec/fic: fix slice checks

fix integer overflows Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/fic: fix slice checks
fix integer overflows Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
d46ef401 · Michael Niedermayer · ed1a6878 · d46ef401
Commit d46ef401 authored Feb 15, 2014 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

fic.c libavcodec/fic.c +5 -5

No files found.
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -214,8 +214,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
    }

    for (slice = 0; slice < nslices; slice++) {
-        int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
-        int slice_size;
+        unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
+        unsigned slice_size;
        int y_off   = ctx->slice_h * slice;
        int slice_h = ctx->slice_h;

@@ -230,11 +230,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
            slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
        }

-        slice_size -= slice_off;
-
-        if (slice_off > msize || slice_off + slice_size > msize)
+        if (slice_size < slice_off || slice_size > msize)
            continue;

+        slice_size -= slice_off;
+
        ctx->slice_data[slice].src      = sdata + slice_off;
        ctx->slice_data[slice].src_size = slice_size;
        ctx->slice_data[slice].slice_h  = slice_h;