From ce69177a41e122cd2022231761f29adb0a08e159 Mon Sep 17 00:00:00 2001
From: Urvang Joshi <urvang@google.com>
Date: Wed, 9 May 2012 14:38:31 +0530
Subject: [PATCH] Fix a crash due to wrong pointer-integer arithmetic.

[Basically, the condition "src - dist < data" can be wrongly evaluated
to be false if "src < dist" due to underflow. Instead, "src - data <
dist" is the correct condition, as "src > data" is always true and so
there would never be an underflow].

Change-Id: Ic9f64bfe76a9acae97abc1fb7c1f4868e81f1eb8
---
 src/dec/vp8l.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/dec/vp8l.c b/src/dec/vp8l.c
index f6a01eec..7ba4bdcd 100644
--- a/src/dec/vp8l.c
+++ b/src/dec/vp8l.c
@@ -596,10 +596,12 @@ static int DecodeImageData(VP8LDecoder* const dec,
       const int length_sym = code - NUM_LITERAL_CODES;
       const int length = GetCopyLength(length_sym, br);
       const int dist_symbol = ReadSymbol(&htree_group->htrees_[DIST], br);
+      // TODO(urvang): Evaluate if we should check 'dist_symbol', 'dist_code'
+      // and/or 'dist' to be valid.
       VP8LFillBitWindow(br);
       dist_code = GetCopyDistance(dist_symbol, br);
       dist = PlaneCodeToDistance(width, dist_code);
-      if (src - dist < data || src + length > src_end) {
+      if (src - data < dist || src_end - src < length) {
         ok = 0;
         goto Error;
       }