aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnton Khirnov <anton@khirnov.net>2013-11-15 19:06:23 +0100
committerAnton Khirnov <anton@khirnov.net>2013-11-21 20:58:08 +0100
commitc918e08b9cc9ce8d06159c51da55ec5ab018039a (patch)
tree46d6b1a2fd61403e3aa743428143afbb3f1963c5
parentce9bba5340a5fb6f38974a19af019dd6aa2da035 (diff)
downloadffmpeg-c918e08b9cc9ce8d06159c51da55ec5ab018039a.tar.gz
truemotion1: make sure index does not go out of bounds
Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
-rw-r--r--libavcodec/truemotion1.c25
1 files changed, 17 insertions, 8 deletions
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index c1a39c2166..b1497d5011 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -515,6 +515,15 @@ hres,vres,i,i%vres (0 < i < 4)
index = s->index_stream[index_stream_index++] * 4; \
}
+#define INC_INDEX \
+do { \
+ if (index >= 1023) { \
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n"); \
+ return; \
+ } \
+ index++; \
+} while (0)
+
#define APPLY_C_PREDICTOR() \
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
@@ -527,10 +536,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define APPLY_C_PREDICTOR_24() \
predictor_pair = s->c_predictor_table[index]; \
@@ -544,10 +553,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define APPLY_Y_PREDICTOR() \
@@ -562,10 +571,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define APPLY_Y_PREDICTOR_24() \
predictor_pair = s->y_predictor_table[index]; \
@@ -579,10 +588,10 @@ hres,vres,i,i%vres (0 < i < 4)
if (predictor_pair & 1) \
GET_NEXT_INDEX() \
else \
- index++; \
+ INC_INDEX; \
} \
} else \
- index++;
+ INC_INDEX;
#define OUTPUT_PIXEL_PAIR() \
*current_pixel_pair = *vert_pred + horiz_pred; \