Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/rpza: Perform pointer advance and checks before using the poi…
…nters

Fixes out of array accesses
Fixes Ticket2850

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
  • Loading branch information
michaelni committed Aug 21, 2013
1 parent 920046a commit 3819db7
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions libavcodec/rpza.c
Expand Up @@ -85,7 +85,7 @@ static void rpza_decode_stream(RpzaContext *s)
unsigned short *pixels = (unsigned short *)s->frame.data[0];

int row_ptr = 0;
int pixel_ptr = 0;
int pixel_ptr = -4;
int block_ptr;
int pixel_x, pixel_y;
int total_blocks;
Expand Down Expand Up @@ -141,6 +141,7 @@ static void rpza_decode_stream(RpzaContext *s)
colorA = AV_RB16 (&s->buf[stream_ptr]);
stream_ptr += 2;
while (n_blocks--) {
ADVANCE_BLOCK()
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
Expand All @@ -149,7 +150,6 @@ static void rpza_decode_stream(RpzaContext *s)
}
block_ptr += row_inc;
}
ADVANCE_BLOCK();
}
break;

Expand Down Expand Up @@ -188,6 +188,7 @@ static void rpza_decode_stream(RpzaContext *s)
if (s->size - stream_ptr < n_blocks * 4)
return;
while (n_blocks--) {
ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
index = s->buf[stream_ptr++];
Expand All @@ -198,14 +199,14 @@ static void rpza_decode_stream(RpzaContext *s)
}
block_ptr += row_inc;
}
ADVANCE_BLOCK();
}
break;

/* Fill block with 16 colors */
case 0x00:
if (s->size - stream_ptr < 16)
return;
ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
Expand All @@ -219,7 +220,6 @@ static void rpza_decode_stream(RpzaContext *s)
}
block_ptr += row_inc;
}
ADVANCE_BLOCK();
break;

/* Unknown opcode */
Expand Down

0 comments on commit 3819db7

Please sign in to comment.