On Sun, Dec 11, 2011 at 11:48:29PM +0530, Shitiz Garg wrote:
> ---
> libavcodec/qtrle.c | 40 +++++++++++++++++++++++++++++++++++-----
> 1 files changed, 35 insertions(+), 5 deletions(-)
>
> diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
> index 0c74798..9f529f8 100644
> --- a/libavcodec/qtrle.c
> +++ b/libavcodec/qtrle.c
> @@ -117,7 +117,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s,
> int stream_ptr,
> int row_ptr, int lines_to_change, int bpp)
> {
> int rle_code, i;
> - int pixel_ptr;
> + int pixel_ptr = -1;
> int row_inc = s->frame.linesize[0];
> unsigned char pi[16]; /* 16 palette indices */
> unsigned char *rgb = s->frame.data[0];
> @@ -126,6 +126,12 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s,
> int stream_ptr,
>
> while (lines_to_change--) {
> CHECK_STREAM_PTR(2);
> +
> + if (pixel_ptr > row_ptr + (num_pixels * (s->buf[stream_ptr] - 1))) {
> + av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go
> backwards\n");
> + return;
> + }
> +
> pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
>
> while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
This looks slightly wrong.
What about simply checking if s->buf[stream_ptr] is zero in this position and
print error then?
Also below there's an expression
pixel_ptr += (num_pixels * (s->buf[stream_ptr++] - 1));
which is also worth checking for moving backwards.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
