[FFmpeg-cvslog] avcodec/fic: fix slice checks

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sat Feb 15 17:19:32 2014 +0100| [d46ef40129487143f2fa4e0b44b3f5e788c4fcb2] | committer: Michael Niedermayer

avcodec/fic: fix slice checks

fix integer overflows

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d46ef40129487143f2fa4e0b44b3f5e788c4fcb2
---

 libavcodec/fic.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index fc0c2a5..c4f262d 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -214,8 +214,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
     }
 
     for (slice = 0; slice < nslices; slice++) {
-        int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
-        int slice_size;
+        unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
+        unsigned slice_size;
         int y_off   = ctx->slice_h * slice;
         int slice_h = ctx->slice_h;
 
@@ -230,11 +230,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
             slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
         }
 
-        slice_size -= slice_off;
-
-        if (slice_off > msize || slice_off + slice_size > msize)
+        if (slice_size < slice_off || slice_size > msize)
             continue;
 
+        slice_size -= slice_off;
+
         ctx->slice_data[slice].src      = sdata + slice_off;
         ctx->slice_data[slice].src_size = slice_size;
         ctx->slice_data[slice].slice_h  = slice_h;