aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-11-25 18:04:17 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-11-25 18:04:17 +0100
commit1afe49b062a959ed0433e4fd9c1b5dff829ae03e (patch)
treef9a6e8e1a66a99d38b15754f3428b22f6f35a234
parente9e642cbfbf36285f60d1dba00103f068b077940 (diff)
downloadffmpeg-1afe49b062a959ed0433e4fd9c1b5dff829ae03e.tar.gz
indeo3: out of array read checks for decode_plane()
Fixes: avi+indeo3+++1-dog.avi Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/indeo3.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index b20c3fc676..c22d257fb9 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -798,15 +798,19 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
int32_t strip_width)
{
Cell curr_cell;
- int num_vectors;
+ uint32_t num_vectors;
/* each plane data starts with mc_vector_count field, */
/* an optional array of motion vectors followed by the vq data */
num_vectors = bytestream_get_le32(&data);
+ if(num_vectors >= data_size/2)
+ return AVERROR_INVALIDDATA;
ctx->mc_vectors = num_vectors ? data : 0;
+ data += num_vectors * 2;
+ data_size-= num_vectors * 2;
/* init the bitreader */
- init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+ init_get_bits(&ctx->gb, data, data_size << 3);
ctx->skip_bits = 0;
ctx->need_resync = 0;