[MPlayer-dev-eng] [PATCH] qtrle decoder can read beyond end of input buffer

Michael Lampe Michael.Lampe at iwr.uni-heidelberg.de
Mon Jul 1 17:41:06 CEST 2002


Hi!

--- qtrle.c-old Mon Jul  1 17:17:41 2002
+++ qtrle.c     Mon Jul  1 17:17:41 2002
@@ -61,7 +61,8 @@
    {
      pixel_ptr = row_ptr + ((encoded[stream_ptr++] - 1) * bytes_per_pixel);

-    while ((rle_code = (signed char)encoded[stream_ptr++]) != -1)
+    while (stream_ptr < encoded_size &&
+           (rle_code = (signed char)encoded[stream_ptr++]) != -1)
      {
        if (rle_code == 0)
          // there's another skip code in the stream

See http://cox.iwr.uni-heidelberg.de/~ug/films/stefan.mov for a file 
demonstrating the bug.

-Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qtrle-patch
Type: application/x-java-vm
Size: 438 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20020701/539e3dea/attachment.bin>


More information about the MPlayer-dev-eng mailing list