avcodec/fic: fix slice checks

fix integer overflows Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

avcodec/fic: fix slice checks
fix integer overflows Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
f34d3173 · Michael Niedermayer · Derek Buitenhuis · 93e15a32 · f34d3173
Commit f34d3173 authored Feb 15, 2014 by Michael Niedermayer Committed by Derek Buitenhuis Apr 21, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

fic.c libavcodec/fic.c +5 -5

No files found.
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -263,8 +263,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
    }

    for (slice = 0; slice < nslices; slice++) {
-        int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
-        int slice_size;
+        unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
+        unsigned slice_size;
        int y_off   = ctx->slice_h * slice;
        int slice_h = ctx->slice_h;

@@ -279,11 +279,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
            slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
        }

-        slice_size -= slice_off;
-
-        if (slice_off > msize || slice_off + slice_size > msize)
+        if (slice_size < slice_off || slice_size > msize)
            continue;

+        slice_size -= slice_off;
+
        ctx->slice_data[slice].src      = sdata + slice_off;
        ctx->slice_data[slice].src_size = slice_size;
        ctx->slice_data[slice].slice_h  = slice_h;