aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2016-10-30 20:47:22 +0100
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2016-10-30 22:38:03 +0100
commit14e4e26559697cfdea584767be4e68474a0a9c7f (patch)
tree28d34d10496cbe3d6722575f5cdff631949d4692
parent2d99101d0964f754822fb4af121c4abc69047dba (diff)
downloadffmpeg-14e4e26559697cfdea584767be4e68474a0a9c7f.tar.gz
interplayacm: check for too large b
This fixes out-of-bounds reads. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
-rw-r--r--libavcodec/interplayacm.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
index 0fd350167a..0486e00b1e 100644
--- a/libavcodec/interplayacm.c
+++ b/libavcodec/interplayacm.c
@@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col)
for (i = 0; i < s->rows; i++) {
/* b = (x1) + (x2 * 3) + (x3 * 9) */
b = get_bits(gb, 5);
+ if (b > 26) {
+ av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
+ return AVERROR_INVALIDDATA;
+ }
n1 = (mul_3x3[b] & 0x0F) - 1;
n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
@@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col)
for (i = 0; i < s->rows; i++) {
/* b = (x1) + (x2 * 5) + (x3 * 25) */
b = get_bits(gb, 7);
+ if (b > 124) {
+ av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
+ return AVERROR_INVALIDDATA;
+ }
n1 = (mul_3x5[b] & 0x0F) - 2;
n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
@@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col)
for (i = 0; i < s->rows; i++) {
/* b = (x1) + (x2 * 11) */
b = get_bits(gb, 7);
+ if (b > 120) {
+ av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
+ return AVERROR_INVALIDDATA;
+ }
n1 = (mul_2x11[b] & 0x0F) - 5;
n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;