Fix potential pointer arithmetic overflows in rle_unpack() of vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 35cb6854bb76b4a5b6f2aea2dce81e18d7ab61cd)
2011-09-25 00:08:51 +02:00 · 2011-09-25 00:08:51 +02:00 · 1b26a734b2
commit 1b26a734b2
parent 02bdeff1ef
1 changed files with 2 additions and 2 deletions
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
        l = *ps++;
        if (l & 0x80) {
            l = (l & 0x7F) * 2;
-            if (pd + l > dest_end || ps_end - ps < l)
+            if (dest_end - pd < l || ps_end - ps < l)
                return ps - src;
            memcpy(pd, ps, l);
            ps += l;
            pd += l;
        } else {
-            if (pd + i > dest_end || ps_end - ps < 2)
+            if (dest_end - pd < i || ps_end - ps < 2)
                return ps - src;
            for (i = 0; i < l; i++) {
                *pd++ = ps[0];