diff options
author | Martin Storsjö <martin@martin.st> | 2013-09-11 23:25:04 +0300 |
---|---|---|
committer | Martin Storsjö <martin@martin.st> | 2013-09-12 10:54:54 +0300 |
commit | 0f678c0214dccb355ed8955077a2bea46984fbc8 (patch) | |
tree | c7a742a5d9cb8dc397a61d7af1ed800ce0b319e3 | |
parent | 17d57848fc14e82f76a65ffb25c90f2f011dc4a0 (diff) | |
download | ffmpeg-0f678c0214dccb355ed8955077a2bea46984fbc8.tar.gz |
aic: Validate values read from the bitstream
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r-- | libavcodec/aic.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/aic.c b/libavcodec/aic.c index e46c00349a..f295249f30 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -215,12 +215,14 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, idx = -1; do { GET_CODE(val, skip_type, skip_bits); + if (val < 0) + return AVERROR_INVALIDDATA; idx += val + 1; if (idx >= num_coeffs) break; GET_CODE(val, coeff_type, coeff_bits); val++; - if (val >= 0x10000) + if (val >= 0x10000 || val < 0) return AVERROR_INVALIDDATA; dst[scan[idx]] = val; } while (idx < num_coeffs - 1); @@ -230,7 +232,7 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, for (mb = 0; mb < slice_width; mb++) { for (idx = 0; idx < num_coeffs; idx++) { GET_CODE(val, coeff_type, coeff_bits); - if (val >= 0x10000) + if (val >= 0x10000 || val < 0) return AVERROR_INVALIDDATA; dst[scan[idx]] = val; } |