Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2025-01-05 23:00:02 +00:00 · 2011-09-25 00:08:51 +02:00 · 2011-09-25 00:08:51 +02:00 · 35cb6854bb
commit 35cb6854bb
parent 4749e07498
1 changed files with 2 additions and 2 deletions
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
        l = *ps++;
        if (l & 0x80) {
            l = (l & 0x7F) * 2;
-            if (pd + l > dest_end || ps_end - ps < l)
+            if (dest_end - pd < l || ps_end - ps < l)
                return ps - src;
            memcpy(pd, ps, l);
            ps += l;
            pd += l;
        } else {
-            if (pd + i > dest_end || ps_end - ps < 2)
+            if (dest_end - pd < i || ps_end - ps < 2)
                return ps - src;
            for (i = 0; i < l; i++) {
                *pd++ = ps[0];