avcodec/fic: fix slice checks

fix integer overflows

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2014-02-15 17:19:32 +01:00
parent ed1a687856
commit d46ef40129

View File

@ -214,8 +214,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
}
for (slice = 0; slice < nslices; slice++) {
int slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
int slice_size;
unsigned slice_off = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4);
unsigned slice_size;
int y_off = ctx->slice_h * slice;
int slice_h = ctx->slice_h;
@ -230,11 +230,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
}
slice_size -= slice_off;
if (slice_off > msize || slice_off + slice_size > msize)
if (slice_size < slice_off || slice_size > msize)
continue;
slice_size -= slice_off;
ctx->slice_data[slice].src = sdata + slice_off;
ctx->slice_data[slice].src_size = slice_size;
ctx->slice_data[slice].slice_h = slice_h;