changeset 2827:deaf39d8381b libavcodec

tinfoil patch: make sure pixel_ptr never goes negative
author melanson
date Sat, 13 Aug 2005 17:46:09 +0000
parents 08cf92c2f7c0
children 2aae25679885
files qtrle.c
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/qtrle.c	Sat Aug 13 17:12:38 2005 +0000
+++ b/qtrle.c	Sat Aug 13 17:46:09 2005 +0000
@@ -58,8 +58,8 @@
   }
 
 #define CHECK_PIXEL_PTR(n) \
-  if (pixel_ptr + n > pixel_limit) { \
-    av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr >= pixel_limit (%d >= %d)\n", \
+  if ((pixel_ptr + n > pixel_limit) || (pixel_ptr + n < 0)) { \
+    av_log (s->avctx, AV_LOG_INFO, "Problem: pixel_ptr = %d, pixel_limit = %d\n", \
       pixel_ptr + n, pixel_limit); \
     return; \
   } \
@@ -119,6 +119,7 @@
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
                 pixel_ptr += (8 * (s->buf[stream_ptr++] - 1));
+                CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
                 /* decode the run length code */
                 rle_code = -rle_code;
@@ -209,6 +210,7 @@
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
                 pixel_ptr += (4 * (s->buf[stream_ptr++] - 1));
+                CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
                 /* decode the run length code */
                 rle_code = -rle_code;
@@ -290,6 +292,7 @@
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
                 pixel_ptr += (s->buf[stream_ptr++] - 1) * 2;
+                CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
                 /* decode the run length code */
                 rle_code = -rle_code;
@@ -367,6 +370,7 @@
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
                 pixel_ptr += (s->buf[stream_ptr++] - 1) * 3;
+                CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
                 /* decode the run length code */
                 rle_code = -rle_code;
@@ -446,6 +450,7 @@
                 /* there's another skip code in the stream */
                 CHECK_STREAM_PTR(1);
                 pixel_ptr += (s->buf[stream_ptr++] - 1) * 4;
+                CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
             } else if (rle_code < 0) {
                 /* decode the run length code */
                 rle_code = -rle_code;