From 7f7af9e294f8bc00756922ab088430ea5b9d7498 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 31 Aug 2019 22:00:35 +0200
Subject: avcodec/vc1: check REFDIST

"9.1.1.43 P Reference Distance (REFDIST)"
"The value of REFDIST shall be less than, or equal to, 16."

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vc1.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'libavcodec/vc1.c')

diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index e102b931d8..42bfca55b1 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -933,7 +933,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
         else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) {
             v->refdist = get_bits(gb, 2);
             if (v->refdist == 3)
-                v->refdist += get_unary(gb, 0, 16);
+                v->refdist += get_unary(gb, 0, 14);
+            if (v->refdist > 16)
+                return AVERROR_INVALIDDATA;
         }
         if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) {
             if (read_bfraction(v, gb) < 0)
-- 
cgit v1.2.3