vp3dec: Check coefficient index in vp3_dequant()

Based on a patch by Michael Niedermayer <michaelni@gmx.at> Fixes NGS00145, CVE-2011-4352 Found-by: Phillip Langlois Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit bba709214a51ffd665a67404d3beb3727bb3f319) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Reinhard Tartler <siretart@tauware.de> 2011-12-04 10:10:33 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2011-12-24 15:47:57 +0100
commit: bd071de29ae33a0ea99fd52793394a377ca61589 (patch)
tree: 0b906c0953cdcea9c9c3e70fc15c6448e5706d2e
parent: 8ddc0b491d3c9c11c1e3d638fda51b4b604d32f4 (diff)
download: ffmpeg-bd071de29ae33a0ea99fd52793394a377ca61589.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index c08de6ca2c..fe8af86440 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1285,6 +1285,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
         case 1: // zero run
             s->dct_tokens[plane][i]++;
             i += (token >> 2) & 0x7f;
+            if (i > 63) {
+                av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n");
+                return i;
+            }
             block[perm[i]] = (token >> 9) * dequantizer[perm[i]];
             i++;
             break;
@@ -1458,7 +1462,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                     /* invert DCT and place (or add) in final output */
 
                     if (s->all_fragments[i].coding_method == MODE_INTRA) {
-                        vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+                        int index;
+                        index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+                        if (index > 63)
+                            continue;
                         if(s->avctx->idct_algo!=FF_IDCT_VP3)
                             block[0] += 128<<3;
                         s->dsp.idct_put(
@@ -1466,7 +1473,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                             stride,
                             block);
                     } else {
-                        if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
+                        int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
+                        if (index > 63)
+                            continue;
+                        if (index > 0) {
                         s->dsp.idct_add(
                             output_plane + first_pixel,
                             stride,
author	Reinhard Tartler <siretart@tauware.de>	2011-12-04 10:10:33 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2011-12-24 15:47:57 +0100
commit	bd071de29ae33a0ea99fd52793394a377ca61589 (patch)
tree	0b906c0953cdcea9c9c3e70fc15c6448e5706d2e
parent	8ddc0b491d3c9c11c1e3d638fda51b4b604d32f4 (diff)
download	ffmpeg-bd071de29ae33a0ea99fd52793394a377ca61589.tar.gz