Commit dbc53ffc authored by Reimar Döffinger's avatar Reimar Döffinger

Change buffer size checks to avoid the undefined overflow case.

Originally committed as revision 19047 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 2fddb91e
......@@ -87,7 +87,7 @@ static unsigned int mszh_decomp(unsigned char * srcptr, int srclen, unsigned cha
continue;
}
if ((mask & (1 << (--maskbit))) == 0) {
if (destptr + 4 > destptr_end)
if (destptr_end - destptr < 4)
break;
memcpy(destptr, srcptr, 4);
srclen -= 4;
......@@ -101,7 +101,7 @@ static unsigned int mszh_decomp(unsigned char * srcptr, int srclen, unsigned cha
ofs &= 0x7ff;
srclen -= 2;
cnt *= 4;
if (destptr + cnt > destptr_end) {
if (destptr_end - destptr < cnt) {
cnt = destptr_end - destptr;
}
for (; cnt > 0; cnt--) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment