diff options
author | Anton Khirnov <anton@khirnov.net> | 2013-11-15 19:06:23 +0100 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2013-11-21 20:58:08 +0100 |
commit | c918e08b9cc9ce8d06159c51da55ec5ab018039a (patch) | |
tree | 46d6b1a2fd61403e3aa743428143afbb3f1963c5 | |
parent | ce9bba5340a5fb6f38974a19af019dd6aa2da035 (diff) | |
download | ffmpeg-c918e08b9cc9ce8d06159c51da55ec5ab018039a.tar.gz |
truemotion1: make sure index does not go out of bounds
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
-rw-r--r-- | libavcodec/truemotion1.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index c1a39c2166..b1497d5011 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -515,6 +515,15 @@ hres,vres,i,i%vres (0 < i < 4) index = s->index_stream[index_stream_index++] * 4; \ } +#define INC_INDEX \ +do { \ + if (index >= 1023) { \ + av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n"); \ + return; \ + } \ + index++; \ +} while (0) + #define APPLY_C_PREDICTOR() \ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ @@ -527,10 +536,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_C_PREDICTOR_24() \ predictor_pair = s->c_predictor_table[index]; \ @@ -544,10 +553,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR() \ @@ -562,10 +571,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR_24() \ predictor_pair = s->y_predictor_table[index]; \ @@ -579,10 +588,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define OUTPUT_PIXEL_PAIR() \ *current_pixel_pair = *vert_pred + horiz_pred; \ |