From d38345878cbb89e4d8d33bd79f47836d4e9cd637 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Tue, 29 Mar 2011 07:14:44 -0700
Subject: dfa: protect pointer range checks against overflows.

---
 libavcodec/dfa.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'libavcodec/dfa.c')

diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 1023197c38..b149791136 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -81,7 +81,7 @@ static int decode_tsw1(uint8_t *frame, int width, int height,
             v = bytestream_get_le16(&src);
             offset = (v & 0x1FFF) << 1;
             count = ((v >> 13) + 2) << 1;
-            if (frame - offset < frame_start || frame_end - frame < count)
+            if (frame - frame_start < offset || frame_end - frame < count)
                 return -1;
             av_memcpy_backptr(frame, offset, count);
             frame += count;
@@ -117,7 +117,7 @@ static int decode_dsw1(uint8_t *frame, int width, int height,
             v = bytestream_get_le16(&src);
             offset = (v & 0x1FFF) << 1;
             count = ((v >> 13) + 2) << 1;
-            if (frame - offset < frame_start || frame_end - frame < count)
+            if (frame - frame_start < offset || frame_end - frame < count)
                 return -1;
             // can't use av_memcpy_backptr() since it can overwrite following pixels
             for (v = 0; v < count; v++)
@@ -157,7 +157,7 @@ static int decode_dds1(uint8_t *frame, int width, int height,
             v = bytestream_get_le16(&src);
             offset = (v & 0x1FFF) << 2;
             count = ((v >> 13) + 2) << 1;
-            if (frame - offset < frame_start || frame_end - frame < count*2 + width)
+            if (frame - frame_start < offset || frame_end - frame < count*2 + width)
                 return -1;
             for (i = 0; i < count; i++) {
                 frame[0] = frame[1] =
-- 
cgit v1.2.3