[FFmpeg-cvslog] Fix potential pointer arithmetic overflows in lz_unpack of vmd video decoder .

Laurent Aimar git at videolan.org
Sun Sep 25 01:13:22 CEST 2011


ffmpeg | branch: master | Laurent Aimar <fenrir at videolan.org> | Sat Sep 24 23:52:24 2011 +0200| [78cb39d2b2ad731dd3b984b0c0711b9f1d6de004] | committer: Michael Niedermayer

Fix potential pointer arithmetic overflows in lz_unpack of vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78cb39d2b2ad731dd3b984b0c0711b9f1d6de004
---

 libavcodec/vmdav.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 74bce45..14a41f4 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -110,7 +110,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
     while (s_end - s > 0 && dataleft > 0) {
         tag = *s++;
         if ((tag == 0xFF) && (dataleft > 8)) {
-            if (d + 8 > d_end || s_end - s < 8)
+            if (d_end - d < 8 || s_end - s < 8)
                 return;
             for (i = 0; i < 8; i++) {
                 queue[qpos++] = *d++ = *s++;
@@ -122,7 +122,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
                 if (dataleft == 0)
                     break;
                 if (tag & 0x01) {
-                    if (d + 1 > d_end || s_end - s < 1)
+                    if (d_end - d < 1 || s_end - s < 1)
                         return;
                     queue[qpos++] = *d++ = *s++;
                     qpos &= QUEUE_MASK;
@@ -138,7 +138,7 @@ static void lz_unpack(const unsigned char *src, int src_len,
                             return;
                         chainlen = *s++ + 0xF + 3;
                     }
-                    if (d + chainlen > d_end)
+                    if (d_end - d < chainlen)
                         return;
                     for (j = 0; j < chainlen; j++) {
                         *d = queue[chainofs++ & QUEUE_MASK];



More information about the ffmpeg-cvslog mailing list