What if some else variable is wrong? I know there's hardly a chance, but it's possible. And yeah, that line could possible be checked.
On Sun, Dec 11, 2011 at 11:54 PM, Kostya Shishkov <[email protected]> wrote: > On Sun, Dec 11, 2011 at 11:48:29PM +0530, Shitiz Garg wrote: >> --- >> libavcodec/qtrle.c | 40 +++++++++++++++++++++++++++++++++++----- >> 1 files changed, 35 insertions(+), 5 deletions(-) >> >> diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c >> index 0c74798..9f529f8 100644 >> --- a/libavcodec/qtrle.c >> +++ b/libavcodec/qtrle.c >> @@ -117,7 +117,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, >> int stream_ptr, >> int row_ptr, int lines_to_change, int bpp) >> { >> int rle_code, i; >> - int pixel_ptr; >> + int pixel_ptr = -1; >> int row_inc = s->frame.linesize[0]; >> unsigned char pi[16]; /* 16 palette indices */ >> unsigned char *rgb = s->frame.data[0]; >> @@ -126,6 +126,12 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, >> int stream_ptr, >> >> while (lines_to_change--) { >> CHECK_STREAM_PTR(2); >> + >> + if (pixel_ptr > row_ptr + (num_pixels * (s->buf[stream_ptr] - 1))) { >> + av_log(s->avctx, AV_LOG_ERROR, "pixel_ptr cannot go >> backwards\n"); >> + return; >> + } >> + >> pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1)); >> >> while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { > > This looks slightly wrong. > > What about simply checking if s->buf[stream_ptr] is zero in this position and > print error then? > Also below there's an expression > pixel_ptr += (num_pixels * (s->buf[stream_ptr++] - 1)); > which is also worth checking for moving backwards. > _______________________________________________ > libav-devel mailing list > [email protected] > https://lists.libav.org/mailman/listinfo/libav-devel _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
