Commit ec00c411 authored by reimar's avatar reimar

Change buffer size checks to avoid the very unlikely overflow case.


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@18576 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 7560101b
...@@ -140,12 +140,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l ...@@ -140,12 +140,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
offset = *src++; offset = *src++;
size = opcode & 3; size = opcode & 3;
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
memcpy(dest, src, size); dest += size; src += size; memcpy(dest, src, size); dest += size; src += size;
size = ((opcode & 0x1c) >> 2) + 3; size = ((opcode & 0x1c) >> 2) + 3;
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
av_memcpy_backptr(dest, ((opcode & 0x60) << 3) + offset + 1, size); av_memcpy_backptr(dest, ((opcode & 0x60) << 3) + offset + 1, size);
dest += size; dest += size;
...@@ -156,12 +156,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l ...@@ -156,12 +156,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
byte2 = *src++; byte2 = *src++;
size = byte1 >> 6; size = byte1 >> 6;
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
memcpy(dest, src, size); dest += size; src += size; memcpy(dest, src, size); dest += size; src += size;
size = (opcode & 0x3f) + 4; size = (opcode & 0x3f) + 4;
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
av_memcpy_backptr(dest, ((byte1 & 0x3f) << 8) + byte2 + 1, size); av_memcpy_backptr(dest, ((byte1 & 0x3f) << 8) + byte2 + 1, size);
dest += size; dest += size;
...@@ -173,12 +173,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l ...@@ -173,12 +173,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
byte3 = *src++; byte3 = *src++;
size = opcode & 3; size = opcode & 3;
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
memcpy(dest, src, size); dest += size; src += size; memcpy(dest, src, size); dest += size; src += size;
size = byte3 + 5 + ((opcode & 0xc) << 6); size = byte3 + 5 + ((opcode & 0xc) << 6);
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
av_memcpy_backptr(dest, av_memcpy_backptr(dest,
((opcode & 0x10) << 12) + 1 + (byte1 << 8) + byte2, ((opcode & 0x10) << 12) + 1 + (byte1 << 8) + byte2,
...@@ -190,7 +190,7 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l ...@@ -190,7 +190,7 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
if (size > 0x70) if (size > 0x70)
break; break;
if (dest + size > dest_end) if (size > dest_end - dest)
return; return;
memcpy(dest, src, size); dest += size; src += size; memcpy(dest, src, size); dest += size; src += size;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment