diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-04 00:13:52 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-04 00:13:52 +0100 |
| commit | 8f1bb3d59850932d43a60472ff98c723268a3958 (patch) | |
| tree | e41cfdf1fc6c3bb55d928189857116ae1a11657d | |
| parent | cd0cfdc0a74cbf45f0d00b65faaf3cf5bd93c016 (diff) | |
| download | ffmpeg-8f1bb3d59850932d43a60472ff98c723268a3958.tar.gz | |
wc4: fix out of chroma LUT reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/xxan.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index de55d082ae..2ab34e1983 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -162,6 +162,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) int i, j; const uint8_t *src, *src_end; const uint8_t *table; + int table_size; int mode, offset, dec_size; chroma_off = AV_RL32(buf + 4); @@ -173,6 +174,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) } src = avpkt->data + 4 + chroma_off; table = src + 2; + table_size = avpkt->data + avpkt->size - table; mode = bytestream_get_le16(&src); offset = bytestream_get_le16(&src) * 2; @@ -200,6 +202,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) return 0; val = *src++; if (val) { + if (val << 1 >= table_size) + return AVERROR_INVALIDDATA; val = AV_RL16(table + (val << 1)); uval = (val >> 3) & 0xF8; vval = (val >> 8) & 0xF8; @@ -220,6 +224,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt) return 0; val = *src++; if (val) { + if (val << 1 >= table_size) + return AVERROR_INVALIDDATA; val = AV_RL16(table + (val << 1)); uval = (val >> 3) & 0xF8; vval = (val >> 8) & 0xF8; |