Mercurial > libavcodec.hg

comparison indeo3.c @ 8669:16b978f64d9e libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix an exploit in indeo by checking we are not writing out of the strip array. Fixes issue 655
author benoit
date Mon, 26 Jan 2009 09:41:23 +0000
parents fa328586b9ce
children 7e7acb5d1da8
comparison
equal deleted inserted replaced
8668:191860960b23 8669:16b978f64d9e
250 bit_pos -= 2; 250 bit_pos -= 2;
251 cmd = (bit_buf >> bit_pos) & 0x03; 251 cmd = (bit_buf >> bit_pos) & 0x03;
252 252
253 if(cmd == 0) { 253 if(cmd == 0) {
254 strip++; 254 strip++;
255 if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
256 av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
257 break;
258 }
255 memcpy(strip, strip-1, sizeof(*strip)); 259 memcpy(strip, strip-1, sizeof(*strip));
256 strip->split_flag = 1; 260 strip->split_flag = 1;
257 strip->split_direction = 0; 261 strip->split_direction = 0;
258 strip->height = (strip->height > 8 ? ((strip->height+8)>>4)<<3 : 4); 262 strip->height = (strip->height > 8 ? ((strip->height+8)>>4)<<3 : 4);
259 continue; 263 continue;
260 } else if(cmd == 1) { 264 } else if(cmd == 1) {
261 strip++; 265 strip++;
266 if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
267 av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
268 break;
269 }
262 memcpy(strip, strip-1, sizeof(*strip)); 270 memcpy(strip, strip-1, sizeof(*strip));
263 strip->split_flag = 1; 271 strip->split_flag = 1;
264 strip->split_direction = 1; 272 strip->split_direction = 1;
265 strip->width = (strip->width > 8 ? ((strip->width+8)>>4)<<3 : 4); 273 strip->width = (strip->width > 8 ? ((strip->width+8)>>4)<<3 : 4);
266 continue; 274 continue;