"Ronald S. Bultje" <[email protected]> writes: > --- > libavcodec/dfa.c | 6 +++--- > 1 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c > index 1023197..b149791 100644 > --- a/libavcodec/dfa.c > +++ b/libavcodec/dfa.c > @@ -81,7 +81,7 @@ static int decode_tsw1(uint8_t *frame, int width, int > height, > v = bytestream_get_le16(&src); > offset = (v & 0x1FFF) << 1; > count = ((v >> 13) + 2) << 1; > - if (frame - offset < frame_start || frame_end - frame < count) > + if (frame - frame_start < offset || frame_end - frame < count) > return -1; > av_memcpy_backptr(frame, offset, count); > frame += count; > @@ -117,7 +117,7 @@ static int decode_dsw1(uint8_t *frame, int width, int > height, > v = bytestream_get_le16(&src); > offset = (v & 0x1FFF) << 1; > count = ((v >> 13) + 2) << 1; > - if (frame - offset < frame_start || frame_end - frame < count) > + if (frame - frame_start < offset || frame_end - frame < count) > return -1; > // can't use av_memcpy_backptr() since it can overwrite > following pixels > for (v = 0; v < count; v++) > @@ -157,7 +157,7 @@ static int decode_dds1(uint8_t *frame, int width, int > height, > v = bytestream_get_le16(&src); > offset = (v & 0x1FFF) << 2; > count = ((v >> 13) + 2) << 1; > - if (frame - offset < frame_start || frame_end - frame < count*2 > + width) > + if (frame - frame_start < offset || frame_end - frame < count*2 > + width) > return -1; > for (i = 0; i < count; i++) { > frame[0] = frame[1] = > --
Looks OK, but the initial checks for 'frame' being in range must be fixed as well. -- Måns Rullgård [email protected] _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
