Revision 2c9a5172

View differences:

libavcodec/dfa.c
62 62
    const uint8_t *frame_start = frame;
63 63
    const uint8_t *frame_end   = frame + width * height;
64 64
    int mask = 0x10000, bitbuf = 0;
65
    int v, offset, count, segments;
65
    int v, count, segments;
66
    unsigned offset;
66 67

  
67 68
    segments = bytestream_get_le32(&src);
68
    frame   += bytestream_get_le32(&src);
69
    if (frame < frame_start || frame > frame_end)
69
    offset   = bytestream_get_le32(&src);
70
    if (frame_end - frame <= offset)
70 71
        return -1;
72
    frame += offset;
71 73
    while (segments--) {
72 74
        if (mask == 0x10000) {
73 75
            if (src >= src_end)
......
189 191
    int count, lines, segments;
190 192

  
191 193
    count = bytestream_get_le16(&src);
192
    if (count >= height || width * count < 0)
194
    if (count >= height)
193 195
        return -1;
194 196
    frame += width * count;
195 197
    lines = bytestream_get_le16(&src);
196
    if (frame + lines * width > frame_end || src >= src_end)
198
    if (count + lines > height || src >= src_end)
197 199
        return -1;
198 200

  
199 201
    while (lines--) {
......
203 205
        while (segments--) {
204 206
            if (src_end - src < 3)
205 207
                return -1;
206
            line_ptr += *src++;
207
            if (line_ptr >= frame)
208
            if (frame - line_ptr <= *src)
208 209
                return -1;
210
            line_ptr += *src++;
209 211
            count = (int8_t)*src++;
210 212
            if (count >= 0) {
211
                if (line_ptr + count > frame || src_end - src < count)
213
                if (frame - line_ptr < count || src_end - src < count)
212 214
                    return -1;
213 215
                bytestream_get_buffer(&src, line_ptr, count);
214 216
            } else {
215 217
                count = -count;
216
                if (line_ptr + count > frame || src >= src_end)
218
                if (frame - line_ptr < count || src >= src_end)
217 219
                    return -1;
218 220
                memset(line_ptr, *src++, count);
219 221
            }
......
232 234
    int count, i, v, lines, segments;
233 235

  
234 236
    lines = bytestream_get_le16(&src);
235
    if (frame + lines * width > frame_end || src >= src_end)
237
    if (lines > height || src >= src_end)
236 238
        return -1;
237 239

  
238 240
    while (lines--) {
239 241
        segments = bytestream_get_le16(&src);
240 242
        while ((segments & 0xC000) == 0xC000) {
241
            frame    -= (int16_t)segments * width;
242
            if (frame >= frame_end)
243
            unsigned delta = -((int16_t)segments * width);
244
            if (frame_end - frame <= delta)
243 245
                return -1;
246
            frame    += delta;
244 247
            segments = bytestream_get_le16(&src);
245 248
        }
246 249
        if (segments & 0x8000) {
......
252 255
        while (segments--) {
253 256
            if (src_end - src < 2)
254 257
                return -1;
255
            line_ptr += *src++;
256
            if (line_ptr >= frame)
258
            if (frame - line_ptr <= *src)
257 259
                return -1;
260
            line_ptr += *src++;
258 261
            count = (int8_t)*src++;
259 262
            if (count >= 0) {
260
                if (line_ptr + count*2 > frame || src_end - src < count*2)
263
                if (frame - line_ptr < count*2 || src_end - src < count*2)
261 264
                    return -1;
262 265
                bytestream_get_buffer(&src, line_ptr, count*2);
263 266
                line_ptr += count * 2;
264 267
            } else {
265 268
                count = -count;
266
                if (line_ptr + count*2 > frame || src_end - src < 2)
269
                if (frame - line_ptr < count*2 || src_end - src < 2)
267 270
                    return -1;
268 271
                v = bytestream_get_le16(&src);
269 272
                for (i = 0; i < count; i++)

Also available in: Unified diff