From 0cb7f8a26094c533b7dbe25897198953b6660f15 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 25 Mar 2007 23:37:38 +0000
Subject: check input validity, this prevents a few variables from reachin odd
 values which might have lead to out of array writes and thus might have been
 exploitable

Originally committed as revision 8522 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/lzw.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'libavcodec/lzw.c')

diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c
index 17194ff2fb..24b8194ac1 100644
--- a/libavcodec/lzw.c
+++ b/libavcodec/lzw.c
@@ -196,7 +196,6 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
         }
         c = lzw_get_code(s);
         if (c == s->end_code) {
-            s->end_code = -1;
             break;
         } else if (c == s->clear_code) {
             s->cursize = s->codesize + 1;
@@ -206,10 +205,11 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
             fc= oc= -1;
         } else {
             code = c;
-            if (code >= s->slot) {
+            if (code == s->slot && fc>=0) {
                 *sp++ = fc;
                 code = oc;
-            }
+            }else if(code >= s->slot)
+                break;
             while (code >= s->newcodes) {
                 *sp++ = s->suffix[code];
                 code = s->prefix[code];
@@ -229,6 +229,7 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
             }
         }
     }
+    s->end_code = -1;
   the_end:
     s->sp = sp;
     s->oc = oc;
-- 
cgit v1.2.3