From c918e08b9cc9ce8d06159c51da55ec5ab018039a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: truemotion1: make sure index does not go out of bounds Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/truemotion1.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) (limited to 'libavcodec/truemotion1.c') diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index c1a39c2166..b1497d5011 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -515,6 +515,15 @@ hres,vres,i,i%vres (0 < i < 4) index = s->index_stream[index_stream_index++] * 4; \ } +#define INC_INDEX \ +do { \ + if (index >= 1023) { \ + av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n"); \ + return; \ + } \ + index++; \ +} while (0) + #define APPLY_C_PREDICTOR() \ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ @@ -527,10 +536,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_C_PREDICTOR_24() \ predictor_pair = s->c_predictor_table[index]; \ @@ -544,10 +553,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR() \ @@ -562,10 +571,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR_24() \ predictor_pair = s->y_predictor_table[index]; \ @@ -579,10 +588,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define OUTPUT_PIXEL_PAIR() \ *current_pixel_pair = *vert_pred + horiz_pred; \ -- cgit v1.2.3