diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2014-02-01 17:07:40 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2014-02-23 14:47:46 +0100 |
commit | ab1c7113f9ec1e169d654990dc5379af1570d2ce (patch) | |
tree | 7f0e9281fe073b910b2c60c8092b0c8a96b109de | |
parent | 10a30e4de5618af812a47e6a3a3710c32ae54e60 (diff) | |
download | ffmpeg-ab1c7113f9ec1e169d654990dc5379af1570d2ce.tar.gz |
avcodec/vc1: Check bfraction_lut_index
Fixes: out of array read
Fixes: asan_static-oob_1b40507_2849_SA10143.vc1
Fixes: asan_static-oob_1b40a15_2849_cov_1182297305_SA10143.vc1
Fixes: asan_static-oob_1b40f15_2849_cov_2159513432_SA10143.vc1
Fixes: asan_static-oob_1b40f15_2849_cov_3230311510_SA10143.vc1
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dcf5bfbdb6137ffdca66e0b7c2929ced42732951)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/vc1.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 728c7defe8..b9a6fdfb52 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -628,7 +628,13 @@ static void rotate_luts(VC1Context *v) } static int read_bfraction(VC1Context *v, GetBitContext* gb) { - v->bfraction_lut_index = get_vlc2(gb, ff_vc1_bfraction_vlc.table, VC1_BFRACTION_VLC_BITS, 1); + int bfraction_lut_index = get_vlc2(gb, ff_vc1_bfraction_vlc.table, VC1_BFRACTION_VLC_BITS, 1); + + if (bfraction_lut_index == 21 || bfraction_lut_index < 0) { + av_log(v->s.avctx, AV_LOG_ERROR, "bfraction invalid\n"); + return AVERROR_INVALIDDATA; + } + v->bfraction_lut_index = bfraction_lut_index; v->bfraction = ff_vc1_bfraction_lut[v->bfraction_lut_index]; return 0; } |