dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2024-11-20 04:18:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix a crash due to wrong pointer-integer arithmetic.

Browse Source 
[Basically, the condition "src - dist < data" can be wrongly evaluated
to be false if "src < dist" due to underflow. Instead, "src - data <
dist" is the correct condition, as "src > data" is always true and so
there would never be an underflow].

Change-Id: Ic9f64bfe76a9acae97abc1fb7c1f4868e81f1eb8
This commit is contained in:
Urvang Joshi 2012-05-09 14:38:31 +05:30
parent e40a3684f5
commit ce69177a41
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/dec/vp8l.c
View File

@ -596,10 +596,12 @@ static int DecodeImageData(VP8LDecoder* const dec,
const int length_sym = code - NUM_LITERAL_CODES;
const int length = GetCopyLength(length_sym, br);
const int dist_symbol = ReadSymbol(&htree_group->htrees_[DIST], br);
// TODO(urvang): Evaluate if we should check 'dist_symbol', 'dist_code'
// and/or 'dist' to be valid.
VP8LFillBitWindow(br);
dist_code = GetCopyDistance(dist_symbol, br);
dist = PlaneCodeToDistance(width, dist_code);
if (src - dist < data || src + length > src_end) {
if (src - data < dist || src_end - src < length) {
ok = 0;
goto Error;
}