qpeg: Fix out of array writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2012-03-03 03:37:52 +01:00 · 2012-03-03 03:37:52 +01:00 · 5dbc75870f
parent c91a14638e
commit 5dbc75870f
1 changed files with 4 additions and 0 deletions
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@ -203,6 +203,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                    filled = 0;
                    dst -= stride;
                    height--;
+                    if(height < 0)
+                        break;
                }
            }
        } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
@ -214,6 +216,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                    filled = 0;
                    dst -= stride;
                    height--;
+                    if(height < 0)
+                        break;
                }
            }
            size -= code + 1;