Commit d8b45f79 authored by Alex Beregszaszi's avatar Alex Beregszaszi
Browse files

Fix possible overflows. Found by Steven Johnson

Originally committed as revision 7065 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent eda70b42
...@@ -156,7 +156,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, ...@@ -156,7 +156,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
int starting_line; int starting_line;
signed short line_packets; signed short line_packets;
int y_ptr; int y_ptr;
signed char byte_run; int byte_run;
int pixel_skip; int pixel_skip;
int pixel_countdown; int pixel_countdown;
unsigned char *pixels; unsigned char *pixels;
...@@ -258,7 +258,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, ...@@ -258,7 +258,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixel_skip = buf[stream_ptr++]; pixel_skip = buf[stream_ptr++];
pixel_ptr += pixel_skip; pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip; pixel_countdown -= pixel_skip;
byte_run = buf[stream_ptr++]; byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run < 0) { if (byte_run < 0) {
byte_run = -byte_run; byte_run = -byte_run;
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
...@@ -301,7 +301,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, ...@@ -301,7 +301,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixel_skip = buf[stream_ptr++]; pixel_skip = buf[stream_ptr++];
pixel_ptr += pixel_skip; pixel_ptr += pixel_skip;
pixel_countdown -= pixel_skip; pixel_countdown -= pixel_skip;
byte_run = buf[stream_ptr++]; byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) { if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(byte_run);
for (j = 0; j < byte_run; j++, pixel_countdown--) { for (j = 0; j < byte_run; j++, pixel_countdown--) {
...@@ -341,7 +341,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, ...@@ -341,7 +341,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
stream_ptr++; stream_ptr++;
pixel_countdown = s->avctx->width; pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) { while (pixel_countdown > 0) {
byte_run = buf[stream_ptr++]; byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) { if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(byte_run);
...@@ -443,7 +443,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, ...@@ -443,7 +443,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
int compressed_lines; int compressed_lines;
signed short line_packets; signed short line_packets;
int y_ptr; int y_ptr;
signed char byte_run; int byte_run;
int pixel_skip; int pixel_skip;
int pixel_countdown; int pixel_countdown;
unsigned char *pixels; unsigned char *pixels;
...@@ -503,7 +503,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, ...@@ -503,7 +503,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_skip = buf[stream_ptr++]; pixel_skip = buf[stream_ptr++];
pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */ pixel_ptr += (pixel_skip*2); /* Pixel is 2 bytes wide */
pixel_countdown -= pixel_skip; pixel_countdown -= pixel_skip;
byte_run = buf[stream_ptr++]; byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run < 0) { if (byte_run < 0) {
byte_run = -byte_run; byte_run = -byte_run;
pixel = LE_16(&buf[stream_ptr]); pixel = LE_16(&buf[stream_ptr]);
...@@ -549,7 +549,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, ...@@ -549,7 +549,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_countdown = (s->avctx->width * 2); pixel_countdown = (s->avctx->width * 2);
while (pixel_countdown > 0) { while (pixel_countdown > 0) {
byte_run = buf[stream_ptr++]; byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) { if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++]; palette_idx1 = buf[stream_ptr++];
CHECK_PIXEL_PTR(byte_run); CHECK_PIXEL_PTR(byte_run);
...@@ -603,7 +603,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, ...@@ -603,7 +603,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */ pixel_countdown = s->avctx->width; /* Width is in pixels, not bytes */
while (pixel_countdown > 0) { while (pixel_countdown > 0) {
byte_run = buf[stream_ptr++]; byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) { if (byte_run > 0) {
pixel = LE_16(&buf[stream_ptr]); pixel = LE_16(&buf[stream_ptr]);
stream_ptr += 2; stream_ptr += 2;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment