Commit f34d3173 authored by Michael Niedermayer's avatar Michael Niedermayer Committed by Derek Buitenhuis

avcodec/fic: fix slice checks

fix integer overflows
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
Signed-off-by: 's avatarDerek Buitenhuis <derek.buitenhuis@gmail.com>
parent 93e15a32
......@@ -263,8 +263,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
}
for (slice = 0; slice < nslices; slice++) {
int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
int slice_size;
unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
unsigned slice_size;
int y_off = ctx->slice_h * slice;
int slice_h = ctx->slice_h;
......@@ -279,11 +279,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
}
slice_size -= slice_off;
if (slice_off > msize || slice_off + slice_size > msize)
if (slice_size < slice_off || slice_size > msize)
continue;
slice_size -= slice_off;
ctx->slice_data[slice].src = sdata + slice_off;
ctx->slice_data[slice].src_size = slice_size;
ctx->slice_data[slice].slice_h = slice_h;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment