Mercurial > libavcodec.hg
comparison indeo3.c @ 8669:16b978f64d9e libavcodec
Fix an exploit in indeo by checking we are not writing out of the strip array.
Fixes issue 655
author | benoit |
---|---|
date | Mon, 26 Jan 2009 09:41:23 +0000 |
parents | fa328586b9ce |
children | 7e7acb5d1da8 |
comparison
equal
deleted
inserted
replaced
8668:191860960b23 | 8669:16b978f64d9e |
---|---|
250 bit_pos -= 2; | 250 bit_pos -= 2; |
251 cmd = (bit_buf >> bit_pos) & 0x03; | 251 cmd = (bit_buf >> bit_pos) & 0x03; |
252 | 252 |
253 if(cmd == 0) { | 253 if(cmd == 0) { |
254 strip++; | 254 strip++; |
255 if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) { | |
256 av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n"); | |
257 break; | |
258 } | |
255 memcpy(strip, strip-1, sizeof(*strip)); | 259 memcpy(strip, strip-1, sizeof(*strip)); |
256 strip->split_flag = 1; | 260 strip->split_flag = 1; |
257 strip->split_direction = 0; | 261 strip->split_direction = 0; |
258 strip->height = (strip->height > 8 ? ((strip->height+8)>>4)<<3 : 4); | 262 strip->height = (strip->height > 8 ? ((strip->height+8)>>4)<<3 : 4); |
259 continue; | 263 continue; |
260 } else if(cmd == 1) { | 264 } else if(cmd == 1) { |
261 strip++; | 265 strip++; |
266 if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) { | |
267 av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n"); | |
268 break; | |
269 } | |
262 memcpy(strip, strip-1, sizeof(*strip)); | 270 memcpy(strip, strip-1, sizeof(*strip)); |
263 strip->split_flag = 1; | 271 strip->split_flag = 1; |
264 strip->split_direction = 1; | 272 strip->split_direction = 1; |
265 strip->width = (strip->width > 8 ? ((strip->width+8)>>4)<<3 : 4); | 273 strip->width = (strip->width > 8 ? ((strip->width+8)>>4)<<3 : 4); |
266 continue; | 274 continue; |