summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-12-17 03:14:21 +0100
committerMichael Niedermayer <michaelni@gmx.at>2015-03-12 18:03:49 +0100
commitcd4827dfd43a46bfa751c3521cd1f32be7d5a472 (patch)
tree435e37c98d1881e09ded0eaae2204917046519e5
parent1d1cc267e6e7e846894fe58e5d63988ef4b77b8b (diff)
downloadffmpeg-cd4827dfd43a46bfa751c3521cd1f32be7d5a472.tar.gz
avcodec/indeo3: use signed variables to avoid underflow
Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat
-rw-r--r--libavcodec/indeo3.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 67859e57d2..3deffb007d 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext {
int16_t width, height;
uint32_t frame_num; ///< current frame number (zero-based)
- uint32_t data_size; ///< size of the frame data in bytes
+ int data_size; ///< size of the frame data in bytes
uint16_t frame_flags; ///< frame properties
uint8_t cb_offset; ///< needed for selecting VQ tables
uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary
@@ -886,7 +886,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
GetByteContext gb;
const uint8_t *bs_hdr;
uint32_t frame_num, word2, check_sum, data_size;
- uint32_t y_offset, u_offset, v_offset, starts[3], ends[3];
+ int y_offset, u_offset, v_offset;
+ uint32_t starts[3], ends[3];
uint16_t height, width;
int i, j;
View Lorry Controller Status