[04/11] qpeg: Add checks for running out of rows in qpeg_decode_inter

Message ID 1379599756-27062-4-git-send-email-martin@martin.st
State Committed
Commit 7a5a55722749a3ab77941914707277b147322cbe
Headers show

Commit Message

Martin Storsjö Sept. 19, 2013, 2:09 p.m.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/qpeg.c |    4 ++++
 1 file changed, 4 insertions(+)

Comments

Kostya Shishkov Sept. 19, 2013, 2:20 p.m. | #1
On Thu, Sep 19, 2013 at 05:09:09PM +0300, Martin Storsjö wrote:
> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: libav-stable@libav.org
> ---
>  libavcodec/qpeg.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
> index bb963ed..a3a5db5 100644
> --- a/libavcodec/qpeg.c
> +++ b/libavcodec/qpeg.c
> @@ -191,6 +191,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
>                      filled = 0;
>                      dst -= stride;
>                      height--;
> +                    if (height < 0)
> +                        break;
>                  }
>              }
>          } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
> @@ -202,6 +204,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
>                      filled = 0;
>                      dst -= stride;
>                      height--;
> +                    if (height < 0)
> +                        break;
>                  }
>              }
>          } else if(code >= 0x80) { /* skip code: 0x80..0xBF */
> -- 

LGTM

Patch

diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index bb963ed..a3a5db5 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -191,6 +191,8 @@  static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
                     filled = 0;
                     dst -= stride;
                     height--;
+                    if (height < 0)
+                        break;
                 }
             }
         } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
@@ -202,6 +204,8 @@  static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
                     filled = 0;
                     dst -= stride;
                     height--;
+                    if (height < 0)
+                        break;
                 }
             }
         } else if(code >= 0x80) { /* skip code: 0x80..0xBF */