Browse code
qpeg: Fix out of array writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/03/03 11:37:52Showing 1 changed files
| ... | ... |
@@ -203,6 +203,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, |
| 203 | 203 |
filled = 0; |
| 204 | 204 |
dst -= stride; |
| 205 | 205 |
height--; |
| 206 |
+ if(height < 0) |
|
| 207 |
+ break; |
|
| 206 | 208 |
} |
| 207 | 209 |
} |
| 208 | 210 |
} else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
|
| ... | ... |
@@ -214,6 +216,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size, |
| 214 | 214 |
filled = 0; |
| 215 | 215 |
dst -= stride; |
| 216 | 216 |
height--; |
| 217 |
+ if(height < 0) |
|
| 218 |
+ break; |
|
| 217 | 219 |
} |
| 218 | 220 |
} |
| 219 | 221 |
size -= code + 1; |