On Mon, Apr 21, 2014 at 12:56:58PM -0400, Derek Buitenhuis wrote: > From: Michael Niedermayer <[email protected]> > > fix integer overflows > > Signed-off-by: Michael Niedermayer <[email protected]> > Signed-off-by: Derek Buitenhuis <[email protected]> > --- > libavcodec/fic.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/libavcodec/fic.c b/libavcodec/fic.c > index 549c03b..53b60f6 100644 > --- a/libavcodec/fic.c > +++ b/libavcodec/fic.c > @@ -354,8 +354,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void > *data, > } > > for (slice = 0; slice < nslices; slice++) { > - int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4); > - int slice_size; > + unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * > 4); > + unsigned slice_size; > int y_off = ctx->slice_h * slice; > int slice_h = ctx->slice_h; > > @@ -370,11 +370,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void > *data, > slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + > 4); > } > > - slice_size -= slice_off; > - > - if (slice_off > msize || slice_off + slice_size > msize) > + if (slice_size < slice_off || slice_size > msize) > continue; > > + slice_size -= slice_off; > + > ctx->slice_data[slice].src = sdata + slice_off; > ctx->slice_data[slice].src_size = slice_size; > ctx->slice_data[slice].slice_h = slice_h; > --
probably OK _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
