Re: [Spice-devel] [PATCHv2] quic: Fix "OVERRUN" caught by coverity

Mon, 14 Jul 2014 03:32:24 -0700 

On 07/14/2014 01:09 PM, Fabiano FidĂȘncio wrote:

Check for MELCSTAT - 1 to get inside the branch, otherwise

MELCSTATES (missing ES, also below missing S)

(...)->rgb_state.melcstate may be up to MELCSTATE after the
pre-incrementing, which would result in an access to a position
that is out bounds of the array size MELCSTATE.


Ack

Thanks,
    Uri.


---
  common/quic.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/common/quic.c b/common/quic.c
index c10e3c4..4584336 100644
--- a/common/quic.c
+++ b/common/quic.c
@@ -578,7 +578,7 @@ static void encode_run(Encoder *encoder, unsigned int 
runlen) //todo: try use en
      while (runlen >= encoder->rgb_state.melcorder) {
          hits++;
          runlen -= encoder->rgb_state.melcorder;
-        if (encoder->rgb_state.melcstate < MELCSTATES) {
+        if (encoder->rgb_state.melcstate < MELCSTATES - 1) {
              encoder->rgb_state.melclen = J[++encoder->rgb_state.melcstate];
              encoder->rgb_state.melcorder = (1L << encoder->rgb_state.melclen);
          }
@@ -610,7 +610,7 @@ static void encode_channel_run(Encoder *encoder, Channel 
*channel, unsigned int
      while (runlen >= channel->state.melcorder) {
          hits++;
          runlen -= channel->state.melcorder;
-        if (channel->state.melcstate < MELCSTATES) {
+        if (channel->state.melcstate < MELCSTATES - 1) {
              channel->state.melclen = J[++channel->state.melcstate];
              channel->state.melcorder = (1L << channel->state.melclen);
          }
@@ -647,7 +647,7 @@ static int decode_run(Encoder *encoder)
          for (hits = 1; hits <= temp; hits++) {
              runlen += encoder->rgb_state.melcorder;

  
-            if (encoder->rgb_state.melcstate < MELCSTATES) {

+            if (encoder->rgb_state.melcstate < MELCSTATES - 1) {
                  encoder->rgb_state.melclen = 
J[++encoder->rgb_state.melcstate];
                  encoder->rgb_state.melcorder = (1U << 
encoder->rgb_state.melclen);
              }
@@ -688,7 +688,7 @@ static int decode_channel_run(Encoder *encoder, Channel 
*channel)
          for (hits = 1; hits <= temp; hits++) {
              runlen += channel->state.melcorder;

  
-            if (channel->state.melcstate < MELCSTATES) {

+            if (channel->state.melcstate < MELCSTATES - 1) {
                  channel->state.melclen = J[++channel->state.melcstate];
                  channel->state.melcorder = (1U << channel->state.melclen);
              }


_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel






















					Reply via email to