Mercurial > libavcodec.hg
comparison lzw.c @ 4733:507d08212e36 libavcodec
check input validity, this prevents a few variables from reachin odd values which might have lead to out of array writes and thus might have been exploitable
author | michael |
---|---|
date | Sun, 25 Mar 2007 23:37:38 +0000 |
parents | 8583aa3c21bc |
children | 8903c1d6db18 |
comparison
equal
deleted
inserted
replaced
4732:8583aa3c21bc | 4733:507d08212e36 |
---|---|
194 if ((--l) == 0) | 194 if ((--l) == 0) |
195 goto the_end; | 195 goto the_end; |
196 } | 196 } |
197 c = lzw_get_code(s); | 197 c = lzw_get_code(s); |
198 if (c == s->end_code) { | 198 if (c == s->end_code) { |
199 s->end_code = -1; | |
200 break; | 199 break; |
201 } else if (c == s->clear_code) { | 200 } else if (c == s->clear_code) { |
202 s->cursize = s->codesize + 1; | 201 s->cursize = s->codesize + 1; |
203 s->curmask = mask[s->cursize]; | 202 s->curmask = mask[s->cursize]; |
204 s->slot = s->newcodes; | 203 s->slot = s->newcodes; |
205 s->top_slot = 1 << s->cursize; | 204 s->top_slot = 1 << s->cursize; |
206 fc= oc= -1; | 205 fc= oc= -1; |
207 } else { | 206 } else { |
208 code = c; | 207 code = c; |
209 if (code >= s->slot) { | 208 if (code == s->slot && fc>=0) { |
210 *sp++ = fc; | 209 *sp++ = fc; |
211 code = oc; | 210 code = oc; |
212 } | 211 }else if(code >= s->slot) |
212 break; | |
213 while (code >= s->newcodes) { | 213 while (code >= s->newcodes) { |
214 *sp++ = s->suffix[code]; | 214 *sp++ = s->suffix[code]; |
215 code = s->prefix[code]; | 215 code = s->prefix[code]; |
216 } | 216 } |
217 *sp++ = code; | 217 *sp++ = code; |
227 s->curmask = mask[++s->cursize]; | 227 s->curmask = mask[++s->cursize]; |
228 } | 228 } |
229 } | 229 } |
230 } | 230 } |
231 } | 231 } |
232 s->end_code = -1; | |
232 the_end: | 233 the_end: |
233 s->sp = sp; | 234 s->sp = sp; |
234 s->oc = oc; | 235 s->oc = oc; |
235 s->fc = fc; | 236 s->fc = fc; |
236 return len - l; | 237 return len - l; |