Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a65045915f5b4ec6da73df54d1914b320a861223)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -127,6 +127,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int stream_ptr, |
127 | 127 |
while (lines_to_change--) { |
128 | 128 |
CHECK_STREAM_PTR(2); |
129 | 129 |
pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1)); |
130 |
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ |
|
130 | 131 |
|
131 | 132 |
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { |
132 | 133 |
if (rle_code == 0) { |
... | ... |
@@ -183,6 +184,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, int |
183 | 183 |
while (lines_to_change--) { |
184 | 184 |
CHECK_STREAM_PTR(2); |
185 | 185 |
pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1)); |
186 |
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ |
|
186 | 187 |
|
187 | 188 |
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { |
188 | 189 |
if (rle_code == 0) { |
... | ... |
@@ -236,6 +238,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, int |
236 | 236 |
while (lines_to_change--) { |
237 | 237 |
CHECK_STREAM_PTR(2); |
238 | 238 |
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2; |
239 |
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ |
|
239 | 240 |
|
240 | 241 |
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { |
241 | 242 |
if (rle_code == 0) { |
... | ... |
@@ -285,6 +288,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, int |
285 | 285 |
while (lines_to_change--) { |
286 | 286 |
CHECK_STREAM_PTR(2); |
287 | 287 |
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3; |
288 |
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ |
|
288 | 289 |
|
289 | 290 |
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { |
290 | 291 |
if (rle_code == 0) { |
... | ... |
@@ -336,6 +340,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, int |
336 | 336 |
while (lines_to_change--) { |
337 | 337 |
CHECK_STREAM_PTR(2); |
338 | 338 |
pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4; |
339 |
+ CHECK_PIXEL_PTR(0); /* make sure pixel_ptr is positive */ |
|
339 | 340 |
|
340 | 341 |
while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) { |
341 | 342 |
if (rle_code == 0) { |