Revision 4b96f43f libavcodec/xan.c

View differences:

libavcodec/xan.c
140 140
            offset = *src++;
141 141

  
142 142
            size = opcode & 3;
143
            if (dest + size > dest_end)
143
            if (size > dest_end - dest)
144 144
                return;
145 145
            memcpy(dest, src, size);  dest += size;  src += size;
146 146

  
147 147
            size = ((opcode & 0x1c) >> 2) + 3;
148
            if (dest + size > dest_end)
148
            if (size > dest_end - dest)
149 149
                return;
150 150
            av_memcpy_backptr(dest, ((opcode & 0x60) << 3) + offset + 1, size);
151 151
            dest += size;
......
156 156
            byte2 = *src++;
157 157

  
158 158
            size = byte1 >> 6;
159
            if (dest + size > dest_end)
159
            if (size > dest_end - dest)
160 160
                return;
161 161
            memcpy(dest, src, size);  dest += size;  src += size;
162 162

  
163 163
            size = (opcode & 0x3f) + 4;
164
            if (dest + size > dest_end)
164
            if (size > dest_end - dest)
165 165
                return;
166 166
            av_memcpy_backptr(dest, ((byte1 & 0x3f) << 8) + byte2 + 1, size);
167 167
            dest += size;
......
173 173
            byte3 = *src++;
174 174

  
175 175
            size = opcode & 3;
176
            if (dest + size > dest_end)
176
            if (size > dest_end - dest)
177 177
                return;
178 178
            memcpy(dest, src, size);  dest += size;  src += size;
179 179

  
180 180
            size = byte3 + 5 + ((opcode & 0xc) << 6);
181
            if (dest + size > dest_end)
181
            if (size > dest_end - dest)
182 182
                return;
183 183
            av_memcpy_backptr(dest,
184 184
                ((opcode & 0x10) << 12) + 1 + (byte1 << 8) + byte2,
......
190 190
            if (size > 0x70)
191 191
                break;
192 192

  
193
            if (dest + size > dest_end)
193
            if (size > dest_end - dest)
194 194
                return;
195 195
            memcpy(dest, src, size);  dest += size;  src += size;
196 196
        }

Also available in: Unified diff