[FFmpeg-cvslog] avcodec/iff: rewrite out of bounds checking in writer

Sun May 15 16:36:38 CEST 2016

ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Sun May 15 16:33:33 2016 +0200| [5350e0fc97a50de7cb387d1d5f07fe25c9c4a935] | committer: Paul B Mahol

avcodec/iff: rewrite out of bounds checking in writer

Signed-off-by: Paul B Mahol <onemda at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5350e0fc97a50de7cb387d1d5f07fe25c9c4a935
---

 libavcodec/iff.c |   26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index 674a5c2..eef7ce1 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -823,7 +823,7 @@ static void decode_delta_j(uint8_t *dst,
                            int w, int h, int bpp, int dst_size)
 {
     int32_t pitch;
-    uint8_t *end = dst + dst_size, *ptr;
+    uint8_t *ptr;
     uint32_t type, flag, cols, groups, rows, bytes;
     uint32_t offset;
     int planepitch_byte = (w + 7) / 8;
@@ -855,22 +855,20 @@ static void decode_delta_j(uint8_t *dst,
                 else
                     offset = ((offset / planepitch_byte) * pitch) + (offset % planepitch_byte);
 
-                ptr = dst + offset;
-                if (ptr >= end)
-                    return;
-
                 for (b = 0; b < cols; b++) {
                     for (d = 0; d < bpp; d++) {
                         uint8_t value = bytestream2_get_byte(&gb);
 
+                        if (offset >= dst_size)
+                            return;
+                        ptr = dst + offset;
+
                         if (flag)
                             ptr[0] ^= value;
                         else
                             ptr[0]  = value;
 
-                        ptr += planepitch;
-                        if (ptr >= end)
-                            return;
+                        offset += planepitch;
                     }
                 }
                 if ((cols * bpp) & 1)
@@ -893,21 +891,21 @@ static void decode_delta_j(uint8_t *dst,
 
                 for (r = 0; r < rows; r++) {
                     for (d = 0; d < bpp; d++) {
-                        ptr = dst + offset + (r * pitch) + d * planepitch;
-                        if (ptr >= end)
-                            return;
+                        unsigned noffset = offset + (r * pitch) + d * planepitch;
 
                         for (b = 0; b < bytes; b++) {
                             uint8_t value = bytestream2_get_byte(&gb);
 
+                            if (noffset >= dst_size)
+                                return;
+                            ptr = dst + noffset;
+
                             if (flag)
                                 ptr[0] ^= value;
                             else
                                 ptr[0]  = value;
 
-                            ptr++;
-                            if (ptr >= end)
-                                return;
+                            noffset++;
                         }
                     }
                 }

