From 9ffe44c5c75c485b4cbb12751e228f18da219df3 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 19 Aug 2016 13:07:14 +0200
Subject: avcodec/indeo2: check ctab

Fixes out of array access
Fixes: 6b73fa392ac808f02e95a4e0a5770026/asan_static-oob_1b15f9a_1969_e7778535e5f27225fe0d6ded14721430.AVI

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/indeo2.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libavcodec')

diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index a58dfa0910..c89845233e 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -172,6 +172,12 @@ static int ir2_decode_frame(AVCodecContext *avctx,
 
     ltab = buf[0x22] & 3;
     ctab = buf[0x22] >> 2;
+
+    if (ctab > 3) {
+        av_log(avctx, AV_LOG_ERROR, "ctab %d is invalid\n", ctab);
+        return AVERROR_INVALIDDATA;
+    }
+
     if (s->decode_delta) { /* intraframe */
         if ((ret = ir2_decode_plane(s, avctx->width, avctx->height,
                                     p->data[0], p->linesize[0],
-- 
cgit v1.2.3