[FFmpeg-cvslog] vqavideo: check for out of bound reads.

Laurent Aimar git at videolan.org
Fri Nov 4 13:22:17 CET 2011


ffmpeg | branch: release/0.8 | Laurent Aimar <fenrir at elivagar.org> | Sun Oct  9 01:54:41 2011 +0200| [7ab0b6b7eda60e235b7db07a6895fa8bdade01c8] | committer: Michael Niedermayer

vqavideo: check for out of bound reads.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 6d45702f7f257c1cfcd3ce3287bf258854528a4a)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ab0b6b7eda60e235b7db07a6895fa8bdade01c8
---

 libavcodec/vqavideo.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 6d7f65a..64a68e1 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -230,6 +230,8 @@ static void decode_format80(const unsigned char *src, int src_size,
             src_index += 2;
             av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
             CHECK_COUNT();
+            if (src_pos + count > dest_size)
+                return;
             for (i = 0; i < count; i++)
                 dest[dest_index + i] = dest[src_pos + i];
             dest_index += count;
@@ -252,6 +254,8 @@ static void decode_format80(const unsigned char *src, int src_size,
             src_index += 2;
             av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
             CHECK_COUNT();
+            if (src_pos + count > dest_size)
+                return;
             for (i = 0; i < count; i++)
                 dest[dest_index + i] = dest[src_pos + i];
             dest_index += count;
@@ -272,6 +276,8 @@ static void decode_format80(const unsigned char *src, int src_size,
             src_index += 2;
             av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
             CHECK_COUNT();
+            if (dest_index < src_pos)
+                return;
             for (i = 0; i < count; i++)
                 dest[dest_index + i] = dest[dest_index - src_pos + i];
             dest_index += count;



More information about the ffmpeg-cvslog mailing list