From: reimar <reimar@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
Date: Fri, 17 Apr 2009 18:03:00 +0000 (+0000)
Subject: Change buffer size checks to avoid the very unlikely overflow case.
X-Git-Url: https://rtime.felk.cvut.cz/gitweb/frescor/ffmpeg.git/commitdiff_plain/ec00c411d7f0a4138598ec23a03dbf9f4a0890a0

Change buffer size checks to avoid the very unlikely overflow case.


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@18576 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
---

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 9a311eae6..5c99e9848 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -140,12 +140,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
             offset = *src++;
 
             size = opcode & 3;
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             memcpy(dest, src, size);  dest += size;  src += size;
 
             size = ((opcode & 0x1c) >> 2) + 3;
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             av_memcpy_backptr(dest, ((opcode & 0x60) << 3) + offset + 1, size);
             dest += size;
@@ -156,12 +156,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
             byte2 = *src++;
 
             size = byte1 >> 6;
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             memcpy(dest, src, size);  dest += size;  src += size;
 
             size = (opcode & 0x3f) + 4;
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             av_memcpy_backptr(dest, ((byte1 & 0x3f) << 8) + byte2 + 1, size);
             dest += size;
@@ -173,12 +173,12 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
             byte3 = *src++;
 
             size = opcode & 3;
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             memcpy(dest, src, size);  dest += size;  src += size;
 
             size = byte3 + 5 + ((opcode & 0xc) << 6);
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             av_memcpy_backptr(dest,
                 ((opcode & 0x10) << 12) + 1 + (byte1 << 8) + byte2,
@@ -190,7 +190,7 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
             if (size > 0x70)
                 break;
 
-            if (dest + size > dest_end)
+            if (size > dest_end - dest)
                 return;
             memcpy(dest, src, size);  dest += size;  src += size;
         }