[PATCHv2] quic: Fix "OVERRUN" caught by coverity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Check for MELCSTAT - 1 to get inside the branch, otherwise
(...)->rgb_state.melcstate may be up to MELCSTATE after the
pre-incrementing, which would result in an access to a position
that is out bounds of the array size MELCSTATE.
---
 common/quic.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/common/quic.c b/common/quic.c
index c10e3c4..4584336 100644
--- a/common/quic.c
+++ b/common/quic.c
@@ -578,7 +578,7 @@ static void encode_run(Encoder *encoder, unsigned int runlen) //todo: try use en
     while (runlen >= encoder->rgb_state.melcorder) {
         hits++;
         runlen -= encoder->rgb_state.melcorder;
-        if (encoder->rgb_state.melcstate < MELCSTATES) {
+        if (encoder->rgb_state.melcstate < MELCSTATES - 1) {
             encoder->rgb_state.melclen = J[++encoder->rgb_state.melcstate];
             encoder->rgb_state.melcorder = (1L << encoder->rgb_state.melclen);
         }
@@ -610,7 +610,7 @@ static void encode_channel_run(Encoder *encoder, Channel *channel, unsigned int
     while (runlen >= channel->state.melcorder) {
         hits++;
         runlen -= channel->state.melcorder;
-        if (channel->state.melcstate < MELCSTATES) {
+        if (channel->state.melcstate < MELCSTATES - 1) {
             channel->state.melclen = J[++channel->state.melcstate];
             channel->state.melcorder = (1L << channel->state.melclen);
         }
@@ -647,7 +647,7 @@ static int decode_run(Encoder *encoder)
         for (hits = 1; hits <= temp; hits++) {
             runlen += encoder->rgb_state.melcorder;
 
-            if (encoder->rgb_state.melcstate < MELCSTATES) {
+            if (encoder->rgb_state.melcstate < MELCSTATES - 1) {
                 encoder->rgb_state.melclen = J[++encoder->rgb_state.melcstate];
                 encoder->rgb_state.melcorder = (1U << encoder->rgb_state.melclen);
             }
@@ -688,7 +688,7 @@ static int decode_channel_run(Encoder *encoder, Channel *channel)
         for (hits = 1; hits <= temp; hits++) {
             runlen += channel->state.melcorder;
 
-            if (channel->state.melcstate < MELCSTATES) {
+            if (channel->state.melcstate < MELCSTATES - 1) {
                 channel->state.melclen = J[++channel->state.melcstate];
                 channel->state.melcorder = (1U << channel->state.melclen);
             }
-- 
1.9.3

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]