diff options
| author | Federico Tomassetti <ftomassetti@groupon.com> | 2015-02-18 12:11:43 +0000 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2015-02-23 15:06:18 +0100 |
| commit | 161442ff2c4b0dd8a5072c6bbe6bf55303fffccf (patch) | |
| tree | 9e1ae7efa9d02e6c60fac76ffbb02aa071137a15 /libavcodec/mdec.c | |
| parent | fe208ca54b0d3b6bbe1c660d371bb2cc6cf40ffc (diff) | |
mdec: check for out of bounds read
Bug-Id: CID 1257501
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Diffstat (limited to 'libavcodec/mdec.c')
| -rw-r--r-- | libavcodec/mdec.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 6b70e37e76..2a779c1176 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -86,7 +86,12 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (level == 127) { break; } else if (level != 0) { - i += run; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 3; level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1); @@ -96,8 +101,13 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) run = SHOW_UBITS(re, &a->gb, 6)+1; LAST_SKIP_BITS(re, &a->gb, 6); UPDATE_CACHE(re, &a->gb); level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10); - i += run; - j = scantable[i]; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } + j = scantable[i]; if (level < 0) { level = -level; level = (level * qscale * quant_matrix[j]) >> 3; @@ -108,10 +118,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) level = (level - 1) | 1; } } - if (i > 63) { - av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); - return AVERROR_INVALIDDATA; - } block[j] = level; } |