diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-26 22:11:53 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-26 22:22:51 +0200 |
commit | a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e (patch) | |
tree | 68f156868fb5edfb6a9aecc41ca4fe444cdc7be3 | |
parent | 8a521d57b30c86a222c99a8c65d663cd227ea834 (diff) | |
download | ffmpeg-a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e.tar.gz |
indeo3dec: check mv bitstream pointer
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/indeo3.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 62cd835a9b..c24252a043 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -801,6 +801,10 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* get motion vector index and setup the pointer to the mv set */ if (!ctx->need_resync) ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3]; + if (ctx->next_cell_data >= ctx->last_byte) { + av_log(avctx, AV_LOG_ERROR, "motion vector out of array\n"); + return AVERROR_INVALIDDATA; + } mv_idx = *(ctx->next_cell_data++); if (mv_idx >= ctx->num_vectors) { av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n"); |