dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-04-11 19:36:47 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix a crash due to wrong pointer-integer arithmetic.

Browse Source 
[Basically, the condition "src - dist < data" can be wrongly evaluated
to be false if "src < dist" due to underflow. Instead, "src - data <
dist" is the correct condition, as "src > data" is always true and so
there would never be an underflow].

Change-Id: Ic9f64bfe76a9acae97abc1fb7c1f4868e81f1eb8
This commit is contained in:
Urvang Joshi 2012-05-09 14:38:31 +05:30
parent e40a3684f5
commit ce69177a41
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/dec/vp8l.c
View File

@ -596,10 +596,12 @@ static int DecodeImageData(VP8LDecoder* const dec,
const int length_sym = code - NUM_LITERAL_CODES; const int length_sym = code - NUM_LITERAL_CODES;
const int length = GetCopyLength(length_sym, br); const int length = GetCopyLength(length_sym, br);
const int dist_symbol = ReadSymbol(&htree_group->htrees_[DIST], br); const int dist_symbol = ReadSymbol(&htree_group->htrees_[DIST], br);
// TODO(urvang): Evaluate if we should check 'dist_symbol', 'dist_code'
// and/or 'dist' to be valid.
VP8LFillBitWindow(br); VP8LFillBitWindow(br);
dist_code = GetCopyDistance(dist_symbol, br); dist_code = GetCopyDistance(dist_symbol, br);
dist = PlaneCodeToDistance(width, dist_code); dist = PlaneCodeToDistance(width, dist_code);
if (src - dist < data || src + length > src_end) { if (src - data < dist || src_end - src < length) {
ok = 0; ok = 0;
goto Error; goto Error;
} }