[Spice-commits] common/quic.c

[Uri Lublin]

 common/quic.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

New commits:
commit 2c5041c3f85564d0cc90b1414b668f696ba1104f
Author: Fabiano Fidêncio <fidencio at redhat.com>
Date:   Mon Jul 14 12:09:56 2014 +0200

    quic: Fix melcstate "OVERRUN" caught by coverity
    
    Check for MELCSTATES - 1 to get inside the branch, otherwise
    (...)->rgb_state.melcstate may be up to MELCSTATES after the
    pre-incrementing, which would result in an access to a position
    that is out bounds of the array size MELCSTATES.

diff --git a/common/quic.c b/common/quic.c
index c10e3c4..4584336 100644
--- a/common/quic.c
+++ b/common/quic.c
@@ -578,7 +578,7 @@ static void encode_run(Encoder *encoder, unsigned int runlen) //todo: try use en
     while (runlen >= encoder->rgb_state.melcorder) {
         hits++;
         runlen -= encoder->rgb_state.melcorder;
-        if (encoder->rgb_state.melcstate < MELCSTATES) {
+        if (encoder->rgb_state.melcstate < MELCSTATES - 1) {
             encoder->rgb_state.melclen = J[++encoder->rgb_state.melcstate];
             encoder->rgb_state.melcorder = (1L << encoder->rgb_state.melclen);
         }
@@ -610,7 +610,7 @@ static void encode_channel_run(Encoder *encoder, Channel *channel, unsigned int
     while (runlen >= channel->state.melcorder) {
         hits++;
         runlen -= channel->state.melcorder;
-        if (channel->state.melcstate < MELCSTATES) {
+        if (channel->state.melcstate < MELCSTATES - 1) {
             channel->state.melclen = J[++channel->state.melcstate];
             channel->state.melcorder = (1L << channel->state.melclen);
         }
@@ -647,7 +647,7 @@ static int decode_run(Encoder *encoder)
         for (hits = 1; hits <= temp; hits++) {
             runlen += encoder->rgb_state.melcorder;
 
-            if (encoder->rgb_state.melcstate < MELCSTATES) {
+            if (encoder->rgb_state.melcstate < MELCSTATES - 1) {
                 encoder->rgb_state.melclen = J[++encoder->rgb_state.melcstate];
                 encoder->rgb_state.melcorder = (1U << encoder->rgb_state.melclen);
             }
@@ -688,7 +688,7 @@ static int decode_channel_run(Encoder *encoder, Channel *channel)
         for (hits = 1; hits <= temp; hits++) {
             runlen += channel->state.melcorder;
 
-            if (channel->state.melcstate < MELCSTATES) {
+            if (channel->state.melcstate < MELCSTATES - 1) {
                 channel->state.melclen = J[++channel->state.melcstate];
                 channel->state.melcorder = (1U << channel->state.melclen);
             }