aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Storsjö <martin@martin.st>2013-09-11 23:25:04 +0300
committerMartin Storsjö <martin@martin.st>2013-09-12 10:54:54 +0300
commit0f678c0214dccb355ed8955077a2bea46984fbc8 (patch)
treec7a742a5d9cb8dc397a61d7af1ed800ce0b319e3
parent17d57848fc14e82f76a65ffb25c90f2f011dc4a0 (diff)
downloadffmpeg-0f678c0214dccb355ed8955077a2bea46984fbc8.tar.gz
aic: Validate values read from the bitstream
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r--libavcodec/aic.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/aic.c b/libavcodec/aic.c
index e46c00349a..f295249f30 100644
--- a/libavcodec/aic.c
+++ b/libavcodec/aic.c
@@ -215,12 +215,14 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
idx = -1;
do {
GET_CODE(val, skip_type, skip_bits);
+ if (val < 0)
+ return AVERROR_INVALIDDATA;
idx += val + 1;
if (idx >= num_coeffs)
break;
GET_CODE(val, coeff_type, coeff_bits);
val++;
- if (val >= 0x10000)
+ if (val >= 0x10000 || val < 0)
return AVERROR_INVALIDDATA;
dst[scan[idx]] = val;
} while (idx < num_coeffs - 1);
@@ -230,7 +232,7 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
for (mb = 0; mb < slice_width; mb++) {
for (idx = 0; idx < num_coeffs; idx++) {
GET_CODE(val, coeff_type, coeff_bits);
- if (val >= 0x10000)
+ if (val >= 0x10000 || val < 0)
return AVERROR_INVALIDDATA;
dst[scan[idx]] = val;
}