Fix possibly exploitable out of buffer writes in msrle_decode_pal4().
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 2 Nov 2010 01:19:15 +0000 (01:19 +0000)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 2 Nov 2010 01:19:15 +0000 (01:19 +0000)
This fix is minimalistic, that function should be cleaned up by someone.

Originally committed as revision 25633 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/msrledec.c

index 098e7d8..9751083 100644 (file)
@@ -45,7 +45,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
     unsigned char rle_code;
     unsigned char extra_byte, odd_pixel;
     unsigned char stream_byte;
-    int pixel_ptr = 0;
+    unsigned int pixel_ptr = 0;
     int row_dec = pic->linesize[0];
     int row_ptr = (avctx->height - 1) * row_dec;
     int frame_size = row_dec * avctx->height;